Closed Bug 620397 Opened 14 years ago Closed 14 years ago

CSRF on creative.mozilla.org

Categories

(Websites :: creative.mozilla.org, defect)

Product:
Websites
Component:
creative.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: javg0x83, Assigned: ryansnyder)

References

(
URL
)

Details

(Keywords: reporter-external, wsec-csrf, Whiteboard: [infrasec:csrf][ws:critical]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier: 

I found a new vulnerability. Cross Site Request Forgery (CSRF) on site:

http://creative.mozilla.org


I'm going to attach a PoC file that triggers the vulnerability.
The issue would allow to change the configuration of users when they visits the site of attacker.

You could solve the issue using a random token for example: it's the usual way to avoid CSRF.

To check the vulnerability you should register/login to site and then, click on my PoC. your configuration change so:

Your Name: 0wn3d
Location: 0wn3d
Website: http://farmofexploits.org
Twitter: @ 0wn3d_twitter
About You: 0wn3d

This is the configuration that i fixed on PoC file.

Regards,
Jose.

Spanish Security Researcher,
http://spa-s3c.blogspot.com/


Reproducible: Always

Steps to Reproduce:
See details
Actual Results:  
See details

Expected Results:  
See details

See details
Attached file CSRF Proof Of Concept 

    
  
Whiteboard: [ws:need triage]
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [ws:need triage] → [infrasec:csrf][ws:critical]

    
    

    
  
Wil, Morgamic, 

Who should this be assigned to?

    
    

    
  
Ryan, could you help with this before you take off?
Assignee: nobody → ryan

    
    

    
  
CRSF fix put in place.  Using Kohana module updates from Bespin Plugin Gallery.  All auth module pages will need to be tested on stage by QA before release (register, login, logout, change email, change password, forgot password, edit profile).

==

Deleting       application/controllers/auth.php
Adding         application/views/auth
Adding         application/views/auth/email.php
Adding         application/views/auth/emails
Adding         application/views/auth/emails/changeemail_email.php
Adding         application/views/auth/emails/forgot_email.php
Adding         application/views/auth/emails/register_email.php
Adding         application/views/auth/emails/welcome_email.php
Adding         application/views/auth/forgot.php
Adding         application/views/auth/login.php
Adding         application/views/auth/logout.php
Adding         application/views/auth/password.php
Adding         application/views/auth/register.php
Adding         application/views/auth/verify_action_required_email.php
Adding         application/views/auth/verify_action_required_forgot.php
Adding         application/views/auth/verify_action_required_registration.php
Adding         application/views/auth/verify_fail.php
Adding         application/views/auth/verify_reset_password.php
Deleting       application/views/email.php
Deleting       application/views/forgot.php
Deleting       application/views/login.php
Deleting       application/views/password.php
Deleting       application/views/register.php
Deleting       application/views/verify_reset_password.php
Sending        modules/auth/config/routes.php
Sending        modules/auth/controllers/auth.php
Sending        modules/auth/views/forgot.php
Sending        modules/auth/views/login.php
Sending        modules/auth/views/register.php
Transmitting file data ....................
Committed revision 79772.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
    

    
  
I would like to know if something of my stuff could be qualified for reward program...

    
    

    
  
(In reply to comment #6)
> I would like to know if something of my stuff could be qualified for reward
> program...

We will be posting to your bugs shortly if any of them qualify. As you know per the FAQ, only selected sites will be considered for the bounty. We do however consider the impact to other areas.

    
    

    
  
Ok, thanks for your response.

    
    

    
  
verified that changing the token leads to form-submission failure for

* login
* register
* change email
* reset password

marking this verified.
Status: RESOLVED → VERIFIED

    
    

    
  
@Jose normally this site wouldn't be included in the bounty but you pointed out a issue which we feel needs further review. So we are taking some tasks from this bug and will be doing a deeper dive. So 500 for the bounty, we will be sending an email out shortly. 

We need to review the usage of SSL on this side and CSRF protection.

    
    

    
  
@Chris thanks! :)
Group: websites-security
Keywords: wsec-csrf
Flags: sec-bounty+

          You need to log in
          before you can comment on or make changes to this bug.