Closed Bug 620397 Opened 14 years ago Closed 14 years ago

CSRF on creative.mozilla.org

Categories

(Websites :: creative.mozilla.org, defect)

Product:
Websites
Component:
creative.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: javg0x83, Assigned: ryansnyder)

References

(
URL
)

Details

(Keywords: reporter-external, wsec-csrf, Whiteboard: [infrasec:csrf][ws:critical])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Build Identifier: I found a new vulnerability. Cross Site Request Forgery (CSRF) on site: http://creative.mozilla.org I'm going to attach a PoC file that triggers the vulnerability. The issue would allow to change the configuration of users when they visits the site of attacker. You could solve the issue using a random token for example: it's the usual way to avoid CSRF. To check the vulnerability you should register/login to site and then, click on my PoC. your configuration change so: Your Name: 0wn3d Location: 0wn3d Website: http://farmofexploits.org Twitter: @ 0wn3d_twitter About You: 0wn3d This is the configuration that i fixed on PoC file. Regards, Jose. Spanish Security Researcher, http://spa-s3c.blogspot.com/ Reproducible: Always Steps to Reproduce: See details Actual Results: See details Expected Results: See details See details
Attached file CSRF Proof Of Concept
Whiteboard: [ws:need triage]
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [ws:need triage] → [infrasec:csrf][ws:critical]
Wil, Morgamic, Who should this be assigned to?
Ryan, could you help with this before you take off?
Assignee: nobody → ryan
CRSF fix put in place. Using Kohana module updates from Bespin Plugin Gallery. All auth module pages will need to be tested on stage by QA before release (register, login, logout, change email, change password, forgot password, edit profile). == Deleting application/controllers/auth.php Adding application/views/auth Adding application/views/auth/email.php Adding application/views/auth/emails Adding application/views/auth/emails/changeemail_email.php Adding application/views/auth/emails/forgot_email.php Adding application/views/auth/emails/register_email.php Adding application/views/auth/emails/welcome_email.php Adding application/views/auth/forgot.php Adding application/views/auth/login.php Adding application/views/auth/logout.php Adding application/views/auth/password.php Adding application/views/auth/register.php Adding application/views/auth/verify_action_required_email.php Adding application/views/auth/verify_action_required_forgot.php Adding application/views/auth/verify_action_required_registration.php Adding application/views/auth/verify_fail.php Adding application/views/auth/verify_reset_password.php Deleting application/views/email.php Deleting application/views/forgot.php Deleting application/views/login.php Deleting application/views/password.php Deleting application/views/register.php Deleting application/views/verify_reset_password.php Sending modules/auth/config/routes.php Sending modules/auth/controllers/auth.php Sending modules/auth/views/forgot.php Sending modules/auth/views/login.php Sending modules/auth/views/register.php Transmitting file data .................... Committed revision 79772.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
I would like to know if something of my stuff could be qualified for reward program...
(In reply to comment #6) > I would like to know if something of my stuff could be qualified for reward > program... We will be posting to your bugs shortly if any of them qualify. As you know per the FAQ, only selected sites will be considered for the bounty. We do however consider the impact to other areas.
Ok, thanks for your response.
verified that changing the token leads to form-submission failure for * login * register * change email * reset password marking this verified.
Status: RESOLVED → VERIFIED
@Jose normally this site wouldn't be included in the bounty but you pointed out a issue which we feel needs further review. So we are taking some tasks from this bug and will be doing a deeper dive. So 500 for the bounty, we will be sending an email out shortly. We need to review the usage of SSL on this side and CSRF protection.
@Chris thanks! :)
Group: websites-security
Keywords: wsec-csrf
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.