Posts

Showing posts from December, 2015

Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

Hi All,

Bug Title : Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

Bug type : Indirect object reference(IDOR)

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Organization : Mozilla

Web Application Link : https://addons.mozilla.org/en-US/firefox/

Steps to reproduce: 1.Go to the link : https://addons.mozilla.org/en-US/firefox/users/edit 2.Here you will get a option to hide your email address from other users. Once you hide your email address no other user can see or get your email address associated with your account. But there is a way we can get email address of any user. Steps to reproduce : 1.create a collection and go to collection setting. 2.Now go to Contributor and add any valid email ID of any user. 3.Now save it and intercept this request. HTTP request : POST /en-US/firefox/collections/vijaykumar1110/mypersonalcollections/edit/contr…

Delete Component watching for All Bugzilla Accounts in Mozilla(Indirect Object reference)

Bug Title : Delete Component watching for All Bugzilla Accounts in Mozilla(Indirect Object reference)

Bug type : Indirect object reference(IDOR)

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Organization : Mozilla

Web Application Link : https://bugzilla.mozilla.org/

Description : In Developers Bugzilla account you have option of Component watching feature where you can save your preference of bug watch.

Exact link : https://bugzilla.mozilla.org/userprefs.cgi?tab=component_watch

When you save the component watch it is saved with a ID.Now when delete it ,The vulnerable HTTP request will delete the Component watch ID .You can change the component ID and delete any user's Component.By running script you can delete all user's component watch.

Video POC link: https://www.dropbox.com/sc/b581mjcf95gbmek/AAC4OBJtn2Aol8HdGg7bCZpTa


Mozilla fixed a issue within a Day and rewarded wit…