Closed
Bug 619932
Opened 15 years ago
Closed 15 years ago
getpersonas has a cross site request forgery vulnerability in upload form
Categories
(Websites Graveyard :: getpersonas.com, defect)
Websites Graveyard
getpersonas.com
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: gab.mnunes, Assigned: telliott)
References
()
Details
(Keywords: reporter-external, Whiteboard: [infrasec:csrf][ws:Moderate])
Attachments
(1 file)
|
5.60 KB,
patch
|
chenba
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716
Build Identifier: https://www.getpersonas.com/en-US/upload
In the url:
https://www.getpersonas.com/en-US/upload
It is vulnerable to a Cross Site Request Forgery attack (CSRF).
The example below shows the post data without the binary code of the images:
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="agree"
1
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="license"
restricted
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="id"
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="name"
teste_gab
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="textcolor"
b53636
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="header-image"; filename="green2.jpg"
Content-Type: image/jpeg
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="description"
descricao do garoto
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="category"
Sports
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="accentcolor"
632d2d
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="footer-image"; filename="green3.jpg"
Content-Type: image/jpeg
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="reason"
fun
-----------------------------457226728227790211288379351
Content-Disposition: form-data; name="other-reason"
-----------------------------457226728227790211288379351--
There is no check or token to verify the message.
Reproducible: Always
|
||
Comment 3•15 years ago
|
||
(In reply to comment #1)
> Same fix as the other bug
Meaning "fixed by" the other bug, or just that we need to do the same thing in a new place?
|
|
||
Updated•15 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 4•15 years ago
|
||
same thing in another place
|
||
Updated•15 years ago
|
Whiteboard: [infrasec:csrf]
|
||
Comment 5•15 years ago
|
||
(In reply to comment #4)
> same thing in another place
Assuming referring to bug 619932 and "same thing" is the required fix.
|
|
||
Comment 6•15 years ago
|
||
Not sure why I was so cryptically vague here. I think the other bug is the user profile page one.
|
|
||
Updated•15 years ago
|
Whiteboard: [infrasec:csrf] → [infrasec:csrf][ws:Moderate]
|
|
||
Comment 8•15 years ago
|
||
bad things you can do:
- swamp our reviewers
- frame someone for offensive images
- get them banned (for spam or offensiveness)
- generally DoS our server while hiding your tracks.
Not critical, but needs to be fixed.
|
|
||
Comment 9•15 years ago
|
||
apparently we "knew" after bug 619256 that we needed to fix more than that one form, but in the absence of any evidence (bugs filed, or comments in an existing bug, plans on a wiki,...) it looks like gabriel beat us to it and IMHO should be awarded a bounty.
WebDev needs to document any other similar pages if they're aware of them.
|
|
||
Comment 10•15 years ago
|
||
clouser filed bug 624597 to cover any remaining issues.
|
|
Assignee | |
Comment 11•15 years ago
|
||
Attachment #508834 -
Flags: review?
|
|
||
Updated•15 years ago
|
Attachment #508834 -
Flags: review? → review?(chenba)
|
|
||
Comment 12•15 years ago
|
||
Comment on attachment 508834 [details] [diff] [review]
Nonces the upload process
The only minor issue I can think of is that since only one nonce value is stored in the user session, if the user opens another form in another tab/window, the previous nonce would be overwritten.
Attachment #508834 -
Flags: review?(chenba) → review+
|
|
||
Comment 13•15 years ago
|
||
Thanks Barry. Toby, please land
|
|
Assignee | |
Comment 14•15 years ago
|
||
Landed in 81985
|
|
||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
TOS:
<h3>Terms of Service</h3>
</div>
<form action="https://personas.stage.mozilla.com/en-US/upload" method="post">
<input type="hidden" name="nonce" value="XFI0FgqQV7rZ7k1Iyfrg1I7hgHqiT50qB">
<input type="hidden" name="firstterms" value="1">
Create your persona:
<h4>Create Your Persona</h4>
<form method="POST" action="https://personas.stage.mozilla.com/en-US/upload" enctype='multipart/form-data'>
<input type="hidden" name="nonce" value="OQiEROw9Rr1VAoLZu6zoO1kuhl5SG60UN">
I also saw in the patch commit that there's an SSC template to which the nonce was added, but I forget how to access it, and it's a one-off thing anyway.
Verified FIXED.
Status: RESOLVED → VERIFIED
|
||
Updated•13 years ago
|
Product: Websites → Websites Graveyard
|
|
||
Updated•12 years ago
|
Flags: sec-bounty+
|
|
||
Updated•9 years ago
|
Group: websites-security
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•