Closed
Bug 1001153
Opened 10 years ago
Closed 10 years ago
CSRF Vulnerability in NewsLetter
Categories
(www.mozilla.org :: Newsletters, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: allan.jay71, Assigned: pmac)
Details
Attachments
(1 file)
11.73 KB,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 Steps to reproduce: I made a file from this url http://www.mozilla.org/en-US/newsletter/ and I copy the FORM in Source Code Actual results: The Form is vulnerable to CSRF and no CSRF Token. This is the Screen shot: http://prntscr.com/3d3rw6 Expected results: it must be redirected to http://www.mozilla.org/en-US/newsletter/ and must got this confirmation http://prntscr.com/3d3sjd
Updated•10 years ago
|
Assignee: gerv → nobody
Component: Discussion Forums → Newsletters
Product: mozilla.org → www.mozilla.org
QA Contact: justdave
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → pmac
Comment 1•10 years ago
|
||
Hi Curtis, can you help find someone in security that can look at this bug? Paul and Josh are inclined to believe this isn't a real vulnerability for this particular form but need the security team's verification.
Group: websites-security
Flags: needinfo?(curtisk)
Comment 2•10 years ago
|
||
(In reply to Mike Alexis [:malexis] from comment #1) > Hi Curtis, can you help find someone in security that can look at this bug? > Paul and Josh are inclined to believe this isn't a real vulnerability for > this particular form but need the security team's verification. This is a non-issue since newsletter uses double opt-in. A user has to confirm their subscription before they get e-mails outside of the confirmation. We could put in a captcha, but that doesn't achieve much since the malicious actor could already just submit any email. Closing as WONTFIX since we have the recommended mitigation in place (double opt-in)
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(curtisk)
Resolution: --- → WONTFIX
Updated•8 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•