CSRF on creative.mozilla.org

VERIFIED FIXED

Status

Websites
creative.mozilla.org
VERIFIED FIXED
7 years ago
3 years ago

People

(Reporter: Jose A. Vazquez, Assigned: ryansnyder)

Tracking

({wsec-csrf})

unspecified
wsec-csrf
Bug Flags:
sec-bounty +

Details

(Whiteboard: [infrasec:csrf][ws:critical], URL)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier: 

I found a new vulnerability. Cross Site Request Forgery (CSRF) on site:

http://creative.mozilla.org


I'm going to attach a PoC file that triggers the vulnerability.
The issue would allow to change the configuration of users when they visits the site of attacker.

You could solve the issue using a random token for example: it's the usual way to avoid CSRF.

To check the vulnerability you should register/login to site and then, click on my PoC. your configuration change so:

Your Name: 0wn3d
Location: 0wn3d
Website: http://farmofexploits.org
Twitter: @ 0wn3d_twitter
About You: 0wn3d

This is the configuration that i fixed on PoC file.

Regards,
Jose.

Spanish Security Researcher,
http://spa-s3c.blogspot.com/


Reproducible: Always

Steps to Reproduce:
See details
Actual Results:  
See details

Expected Results:  
See details

See details
(Reporter)

Comment 1

7 years ago
Created attachment 498744 [details]
CSRF Proof Of Concept

Updated

7 years ago
Whiteboard: [ws:need triage]
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [ws:need triage] → [infrasec:csrf][ws:critical]
Wil, Morgamic, 

Who should this be assigned to?
Ryan, could you help with this before you take off?
Assignee: nobody → ryan
CRSF fix put in place.  Using Kohana module updates from Bespin Plugin Gallery.  All auth module pages will need to be tested on stage by QA before release (register, login, logout, change email, change password, forgot password, edit profile).

==

Deleting       application/controllers/auth.php
Adding         application/views/auth
Adding         application/views/auth/email.php
Adding         application/views/auth/emails
Adding         application/views/auth/emails/changeemail_email.php
Adding         application/views/auth/emails/forgot_email.php
Adding         application/views/auth/emails/register_email.php
Adding         application/views/auth/emails/welcome_email.php
Adding         application/views/auth/forgot.php
Adding         application/views/auth/login.php
Adding         application/views/auth/logout.php
Adding         application/views/auth/password.php
Adding         application/views/auth/register.php
Adding         application/views/auth/verify_action_required_email.php
Adding         application/views/auth/verify_action_required_forgot.php
Adding         application/views/auth/verify_action_required_registration.php
Adding         application/views/auth/verify_fail.php
Adding         application/views/auth/verify_reset_password.php
Deleting       application/views/email.php
Deleting       application/views/forgot.php
Deleting       application/views/login.php
Deleting       application/views/password.php
Deleting       application/views/register.php
Deleting       application/views/verify_reset_password.php
Sending        modules/auth/config/routes.php
Sending        modules/auth/controllers/auth.php
Sending        modules/auth/views/forgot.php
Sending        modules/auth/views/login.php
Sending        modules/auth/views/register.php
Transmitting file data ....................
Committed revision 79772.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

7 years ago
I would like to know if something of my stuff could be qualified for reward program...

Comment 7

7 years ago
(In reply to comment #6)
> I would like to know if something of my stuff could be qualified for reward
> program...

We will be posting to your bugs shortly if any of them qualify. As you know per the FAQ, only selected sites will be considered for the bounty. We do however consider the impact to other areas.
(Reporter)

Comment 8

7 years ago
Ok, thanks for your response.

Comment 9

7 years ago
verified that changing the token leads to form-submission failure for

* login
* register
* change email
* reset password

marking this verified.
Status: RESOLVED → VERIFIED

Comment 11

7 years ago
@Jose normally this site wouldn't be included in the bounty but you pointed out a issue which we feel needs further review. So we are taking some tasks from this bug and will be doing a deeper dive. So 500 for the bounty, we will be sending an email out shortly. 

We need to review the usage of SSL on this side and CSRF protection.
Created attachment 502671 [details]
POC from rar
(Reporter)

Comment 13

7 years ago
@Chris thanks! :)
Group: websites-security

Updated

5 years ago
Blocks: 836573
Keywords: wsec-csrf
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.