The Bugzilla login cookie is not restricted to secure (SSL) connections. Thus, if I log in to Bugzilla from a hostile network and open any non-SSL page in the same browser, the network operator can 302 me to a spoofed http://bugzilla.samba.org, steal my login cookie, and proceed to impersonate me.
do you have any links or other info about the details? We might add this for the new bugzilla but we need some more info about this :-)
See https://bugzilla.mozilla.org/show_bug.cgi?id=449984 . It looks like Bugzilla 3.2 and newer take care of this automatically if the "ssl*" parameters are set correctly. You just may wish to clear the "logincookies" table on upgrade so that previously issued cookies that may have been leaked are no longer accepted.
This is now fixed. Login cookies are now transmitted over SSL only.
Verified. And my cookie from before the upgrade was correctly rejected. Nice work.