Remote unnotified account deletion
Bug #308288 reported by
rafavargas
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| sweetter |
Invalid
|
Critical
|
danigm | ||
Bug Description
A remote attacker could trick a victim to visit an external website where the malicious Javascript code executes and delete the user account without notifying him if he is currently logged in. I attach a proof of concept file. DON'T OPEN IT IF YOU ARE CURRENTLY LOGGED IN.
Revision history for this message
| rafavargas (rafavargas) wrote | #1 |
Revision history for this message
| danigm (danigm) wrote | #2 |
| Changed in sweetter: | |
| assignee: | nobody → danigm |
| importance: | Undecided → Critical |
| status: | New → Invalid |
To post a comment you must log in.
This is not a bug, when you open that link you was redirected to destroySelf because there is a session variable that control that you was in destroySelf before delete the account.
Thanks for this bug report.
-------------
He estado haciendo algunas pruebas y no me ha borrado la cuenta, simplemente me ha redirigido a destroySelf. En principio esto estaba contemplado, ya que se usa una variable de sesión como bandera para evitar que se borre una cuenta sin haber pasado por esta página. Solo funciona este enlace si entras en destroySelf una vez y posteriormente entras en esta página sin haber pulsado NO.
De todas formas, muchas gracias por el reporte de bug.