Closed Bug 855658 Opened 12 years ago Closed 12 years ago

Mozilla Developer Network Doesn't check security token on the server.

Categories

(developer.mozilla.org Graveyard :: General, defect)

Product:
developer.mozilla.org Graveyard
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED INVALID

People

(Reporter: netfuzzerr, Assigned: freddy)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.3 Safari/537.36 Steps to reproduce: Hi, On developer.mozilla.org the security token is not checked by the server if it is valid or not. The page checks on the cookie attribute "csrftoken" and the param "csrftoken" sent by the request, is both are equal the request is done with success. But, as the page doesn't check if both are valid, it's possible edit the cookie(by a program installed on victim computer, or a browser vuln) and send the csrftoken that you want, so allowing attacks to do CSRF attacks. Reproduce: 1. Log on mozilla developer network. 2. make a post request like that ========================== POST /pt-BR/profiles/netfuzzer55/edit HTTP/1.1 Host: developer.mozilla.org Cookie: sessionid=yoursessionid; browserid_explained=1; csrftoken=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; ////////////// some more cookies attributes /////////////////// csrfmiddlewaretoken=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&email=youremail%40hotmail.com&fullname=&title=&organization=&location=&locale=pt-BR&timezone=&irc_nickname=&bio=aaaaaaaaaaaaaaaaaaaeeeeeeeeee&interests=&expertise=&websites_website=&websites_twitter=&websites_github=&websites_stackoverflow=&websites_linkedin= =================================== 3. see the changes. Cheers, Mario
Summary: Mozilla Developer Network Doesn't check security tokens. → Mozilla Developer Network Doesn't check security token.
Summary: Mozilla Developer Network Doesn't check security token. → Mozilla Developer Network Doesn't check security token on the server.
assigning to freddy for verification
Assignee: nobody → fbraun
Whiteboard: [verif?]
I get a HTTP/1.1 403 Forbidden as response.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Whiteboard: [verif?]
basic reproduce using burq suite: 1. Go to https://developer.mozilla.org/pt-BR/profiles/[your_user_id]/edit 2. Change the name to "aaaaa". 3. Now enable the burq suite to proxy the request, and on the page click in "Save Changes". 4. Intercept the request on burq suite and edit, the cookie value "csrftoken" to "aaaaaaaaaaaaaaa", and on the post params change "csrftoken" to "aaaaaaaaaaaaaaa" as well. So send the edited request. 5. See the changes saved. (In reply to Frederik Braun [:freddyb] from comment #2) > I get a HTTP/1.1 403 Forbidden as response.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
just fixing, edit the post param "csrfmiddlewaretoken" to "aaaaaaaaaaaaaaa" and send the request.
Hey Mario. I am going to keep this as RESOLVED:INVALID until :freddyb can reproduce.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago12 years ago
Flags: needinfo?(fbraun)
Resolution: --- → INVALID
I just tried it again as suggested in comment 3, but with ZAP Proxy. I still get the 403 Forbidden and get the MDN "Permission Denied" page.
Flags: needinfo?(fbraun)
The CSRF token is not intended as a server-side authorization to perform an action, it is only intended to prevent Cross-Site Request Forgery attacks. Requiring the POST var and the cookie (or session var) to match is sufficient for that.
Status: RESOLVED → VERIFIED
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.