Closed
Bug 1088012
Opened 11 years ago
Closed 11 years ago
CSRF vulnerability
Categories
(support.mozilla.org :: Users and Groups, task, P4)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: mijanur.rayhan74, Unassigned)
Details
(Keywords: reporter-external)
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141011015303
Steps to reproduce:
I grepped login box source and saved it on my pc in html format. And when I open it, there have an login box and by this I can login Mozilla Support website without any token.
Code:
<form method="post" action="https://support.mozilla.org/en-US/users/login">
<input name="csrfmiddlewaretoken" value="xGBK7Xb211rhnUYWOd9RDIVtMd0QNmqE" type="hidden">
<input name="next" value="https://support.mozilla.org/en-US/?fpa=1" type="hidden">
<fieldset>
<ul>
<li class="cf">
<label for="id_username">Username:</label>
<input id="id_username" name="username" required="required" type="text">
</li>
<li class="cf">
<label for="id_password">Password:</label>
<input id="id_password" name="password" required="required" type="password">
</li>
</ul>
<div class="submit">
<input name="login" value="1" type="hidden">
<button type="submit" data-type="submit" data-name="login" class="btn btn-submit" data-progress="Logging in..." data-done="Logged in!" data-reset="Log in">Log in</button>
</div>
</fieldset>
</form>
Actual results:
Any registered user can login from any website or from localhost and they can make them anything in Mozilla Support website.
Expected results:
Its very harmful for public user and by this anyone can brute force Mozilla Support users database from other website or from there localhost.
|
Reporter | |
Updated•11 years ago
|
Severity: normal → critical
OS: All → Windows 7
Priority: -- → P4
Hardware: All → x86
|
||
Comment 1•11 years ago
|
||
Are you saying you can login with a CSRF token? I don't think so:
$ curl -X POST -d "username=<username>&password=<password>" https://support.mozilla.org/en-US/users/login
<!DOCTYPE html>
<html class="no-js" lang="en-US" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>Access denied | Mozilla Support</title>
|
|
||
Comment 2•11 years ago
|
||
Sounds like you saved the form with the CSRF token and used that to login. That's cheating.
Plus, I don't think CSRF protection adds much value to a login form. You need to know the username/password already to do anything on the login form.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 3•11 years ago
|
||
I can login without token and it from anywhere. No need to visit Mozilla Support website.
Flags: needinfo?(x3o.1337)
|
|
||
Comment 4•11 years ago
|
||
(In reply to x3o.1337 from comment #3)
> I can login without token and it from anywhere. No need to visit Mozilla
> Support website.
Can you provide a CURL example that doesnt return the access denied page? Access Denied is when the CSRF check fails.
|
|
Reporter | |
Comment 5•11 years ago
|
||
(In reply to Ricky Rosario [:rrosario, :r1cky] from comment #4)
> (In reply to x3o.1337 from comment #3)
> > I can login without token and it from anywhere. No need to visit Mozilla
> > Support website.
>
> Can you provide a CURL example that doesnt return the access denied page?
> Access Denied is when the CSRF check fails.
Brother , check your email. I attached there video.
Flags: needinfo?(x3o.1337)
|
|
||
Comment 6•11 years ago
|
||
In the video you copy paste the full form HTML including the csrf token. Like I said, that's not what CSRF is protecting against. Can you describe what a malicious user could do by that?
You can learn more about CSRF on wikipedia, I suggest reading the Limitations section: http://en.wikipedia.org/wiki/Cross-site_request_forgery#Limitations
|
|
||
Comment 7•11 years ago
|
||
(In reply to Ricky Rosario [:rrosario, :r1cky] from comment #6)
> You can learn more about CSRF on wikipedia, I suggest reading the
> Limitations section:
> http://en.wikipedia.org/wiki/Cross-site_request_forgery#Limitations
Specifically, see #4: The attacker must lure the victim to a Web page with malicious code while the victim is logged into the target site.
In your case, the user isn't logged in. So what damage can be done?
|
||
Comment 8•11 years ago
|
||
(In reply to Ricky Rosario [:rrosario, :r1cky] from comment #7)
> In your case, the user isn't logged in. So what damage can be done?
Login CSRF is used in "session fixation" attacks. If it's possible to quietly log someone into an attacker-controlled account there may be ways to then observe what actions that user took.
In the SUMO case it's hard to imagine what could be affected by that since all the questions and answers are public anyway, but I guess you could find the questions asked by one particular person who was otherwise anonymous to you. Assuming you got them to your site so you could CSRF them, and that that person also happened to later go to SUMO to ask a Firefox question.
Flags: sec-bounty?
|
|
||
Updated•11 years ago
|
Resolution: INVALID → WONTFIX
|
|
||
Updated•11 years ago
|
Group: websites-security
Flags: sec-bounty? → sec-bounty-
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•