1001153 - CSRF Vulnerability in NewsLetter

Status: RESOLVED WONTFIX

(www.mozilla.org :: Newsletters, defect)

Description

[Atom%0a]

Attachment: mozilla.html

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36

Steps to reproduce:

I made a file from this url http://www.mozilla.org/en-US/newsletter/
and I copy the FORM in Source Code 


Actual results:

The Form is vulnerable to CSRF and no CSRF Token.
This is the Screen shot: http://prntscr.com/3d3rw6


Expected results:

it must be redirected to http://www.mozilla.org/en-US/newsletter/
and must got this confirmation
http://prntscr.com/3d3sjd

Comment 1

[Mike Alexis [:malexis]]

Hi Curtis, can you help find someone in security that can look at this bug?  Paul and Josh are inclined to believe this isn't a real vulnerability for this particular form but need the security team's verification.

Comment 2

[David Chan [:dchan]]

(In reply to Mike Alexis [:malexis] from comment #1)
> Hi Curtis, can you help find someone in security that can look at this bug? 
> Paul and Josh are inclined to believe this isn't a real vulnerability for
> this particular form but need the security team's verification.

This is a non-issue since newsletter uses double opt-in. A user has to confirm their subscription before they get e-mails outside of the confirmation. We could put in a captcha, but that doesn't achieve much since the malicious actor could already just submit any email.

Closing as WONTFIX since we have the recommended mitigation in place (double opt-in)