Rate limit new account creation, password change, etc. emails
Categories
(bugzilla.mozilla.org :: Email Notifications, defect, P3)
Tracking
()
People
(Reporter: ranjitkolhal5757, Assigned: dkl)
Details
(Keywords: sec-low)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Firefox for Android
Steps to reproduce:
- Create a new account for bugzilla
- Enter your email
- Press enter and capture this request [burp_suite]
- send to intruder
5.Add [+11.....] before the @
For example : example@gmail.com >>> example+1111@gmail.com
Encoded : example%40gmail.com >>>> example%2B1111%40gmail.com
7.Add null payloads [100+] - Start attack
Actual results:
attacker able to send verification / account creation request's bulk mail
Expected results:
- Spamming on other user
- Herm Firefox Reputation [I think ]
- Increase mail charges
Updated•4 years ago
|
Thanks for your report.
It's true that Bugzilla is missing rate limiting on these emails. I'm rating this as sec-low as the impact is minimal, and we have generic request rate limiting in place that should catch significant abusers.
Thanks for response
Now report is OPEN When report go on final stage ?
This is my first submission on BugZilla so i don't know process can you help me to understand : )
(In reply to Ranjit from comment #4)
Thanks for response
Now report is OPEN When report go on final stage ?
This is my first submission on BugZilla so i don't know process can you help me to understand : )
Right now this bug hasn't been scheduled to be worked on; you'll see activity on the bug when that happens.
Given the low severity I wouldn't expect this issue to be resolved soon.
Comment 10•3 years ago
|
||
(In reply to Ranjit from comment #9)
hello security team : )
any update here ?
If there are updates they will appear on the bug. Please do not comment every week asking for updates, it just creates spam for everyone.
Comment 11•3 years ago
|
||
This bug does not qualify for our bug bounty
Assignee | ||
Comment 12•3 years ago
|
||
We can add code to send pings to iprepd when these events occur (instead of just errors) to mitigate this type of activities.
Assignee | ||
Comment 13•3 years ago
|
||
Assignee | ||
Comment 14•3 years ago
|
||
Merged to master and will be in next weeks deployment.
https://github.com/mozilla-bteam/bmo/commit/d23d4d991d2cbe2205998a7dfd5281af40a31365
Reporter | ||
Comment 15•3 years ago
|
||
Any bounty’s?
Assignee | ||
Comment 16•3 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #11)
This bug does not qualify for our bug bounty
Unfortunately it was already deteremined in comment 11.
Assignee | ||
Updated•3 years ago
|
Description
•