1094085 - Login and Logout Forgeries Impact

Status: RESOLVED DUPLICATE of bug 713926

(Bugzilla :: Bugzilla-General, defect)

Description

[Mohamed A. Baset]

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141103144234

Steps to reproduce:

Hi Security Team,

My name is Mohamed Abdelbaset Elnoby an Information Security Evangelist from Egypt, I would like to report a Security Vulnerability in the website, details as follow:

Vulnerability :
Cross Site Request Forgery - (CSRF)

Info:
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

In this Report i will demonstrate how critical can be the logout and the login processes combined together in targeted attack with Local Area Networks Poisoning techniques.
Let's assume that a user is logged in to his account in a separate browser tab so he prepared his account for reporting a bug to bugzilla or uploading a private files, documents etc..  and in another browser tab he browsing/reads the news so the website he browsing got poisoned and injected with a malicious iframe which do the following procedures:

1- Will log him out of his original Account
2- Will log him in to the attacker's Account.
3- The user will not notice that he is in another account not his original one since he is logged in already.
4- The user starts to upload his sensitive files or making sensitive changes.
5- In the other side the attacker also logged in with the same account that he forces the victim to logi with and refreshes the page to determine if there is any changes or any files uploaded by the victim or not to fastly download it if it is a files or obtain and steal it if it is a data.

Considering this Previously Discovered vulnerability PoC Video by me: 
-In "Box.com" Service: http://youtu.be/H97oHywpV1g

Vulnerable Link/Code:
Logout:
https://bugzilla.mozilla.org/index.cgi?logout=1

Login Form:
<html>
<body>
<form action="https://bugzilla.mozilla.org/index.cgi" method="POST">
<input type="hidden" name="Bugzilla&#95;login" value="ATTACKER_EMAIL" />
<input type="hidden" name="Bugzilla&#95;password" value="ATTACKER_PASSWORD" />
<input type="hidden" name="Bugzilla&#95;remember" value="on" />
<input type="hidden" name="GoAheadAndLogIn" value="Log&#32;in" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

Remediation:
The original website must check the referrer as if the login/out request comes from it's own or not + implement an anti CSRF Token to prevent such forgeries.


Actual results:

1- Will log him out of his original Account
2- Will log him in to the attacker's Account.
3- The user will not notice that he is in another account not his original one since he is logged in already.
4- The user starts to upload his sensitive files or making sensitive changes.
5- In the other side the attacker also logged in with the same account that he forces the victim to logi with and refreshes the page to determine if there is any changes or any files uploaded by the victim or not to fastly download it if it is a files or obtain and steal it if it is a data.


Expected results:

The original website must check the referrer as if the login/out request comes from it's own or not + implement an anti CSRF Token to prevent such forgeries.

Comment 2

[:glob ✱]

CSRF for logout is bug 767703.

Comment 3

[Mohamed A. Baset]

Hello, I think my report isn't duplicated since the report you're referencing is an old one and mine which is tested and confirmed in the current Mozilla bugzilla live version ?!!!!

Comment 4

[Frédéric Buclin]

(In reply to Mohamed A. Baset from comment #3)
> Hello, I think my report isn't duplicated since the report you're
> referencing is an old one and mine which is tested and confirmed in the
> current Mozilla bugzilla live version ?!!!!

Mozilla Bugzilla runs 4.2. The fix is in 4.4 and newer only, because it's too invasive for 4.2. This has been explained in the release notes already.

Comment 5

[Mohamed A. Baset]

Ok, Thanks Frederic