Closed Bug 931065 Opened 12 years ago Closed 1 year ago

possible clickjacking in webfwd.org

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: curtisk, Unassigned)

Details

(Keywords: reporter-external, sec-moderate, wsec-other, Whiteboard: [site:webfwd.org][reporter-external])

Date: Thu, 24 Oct 2013 22:56:54 +0530 Subject: Reporting a serious vulnerability in your respective domain webfwd.org From: Ravindra Singh Rathore <rsrathoreravi@gmail.com> To: security@mozilla.org -----//----- Hello there I am Ravindra Singh, a security researcher from India and i have found a very serious vulnerability in one of your domains webfwd.org. And the vulnerability is clickjacking. According to this vulnerability your website can be framed into some other html pages. -- Regards-- Ravindra Singh Rathore Security Researcher mail - rsrathoreravi@gmail.com
Flags: sec-bounty?
assigned to dchan for verif
Assignee: nobody → dchan+bugzilla
Hi Ravindra Can you clarify what the attack is? I can see the XFO is not set on the site. However there is no login functionality / accounts. The whole site should be static aside from the apply page.
Assignee: dchan+bugzilla → nobody
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(rsrathoreravi)
Keywords: sec-moderate, wsec-other
Whiteboard: [site:webfwd.org][reporter-external][verif?] → [site:webfwd.org][reporter-external]
Hello, Actually there is an application form on that page for webfwd. And an attacker can fill out this form on behalf of victim.
Flags: needinfo?(rsrathoreravi)
Hi Ravindra, Yes, it is possible for an attacker for fill out the form on behalf of the victim. However you don't need missing XFO or CSRF for this type of attack to work. A malicious user can always go to the site and fill out the form with any details they want. Is there some other attack you were thinking of?
Flags: needinfo?(rsrathoreravi)
Hello David, There are many possibilities for this and missing XFO is one of them.
Flags: needinfo?(rsrathoreravi)
(In reply to Ravindra Singh from comment #5) > Hello David, > > There are many possibilities for this and missing XFO is one of them. Hi Ravindra, The bounty committee has decided not to pay out on this bug. The site is missing XFO as you mention, however there isn't functionality on the site which can be abused in a clickjacking attack. Please let us know if we are overlooking something in your report and we will evaluate the bug again.
Group: websites-security
Flags: sec-bounty? → sec-bounty-

Website is no longer active

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.