Click-Jacking attack on user account self-deletion page

Reported by Hugh Davenport on 2012-09-27
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Hugh Davenport
1.4
High
Hugh Davenport
1.5
High
Hugh Davenport

Bug Description

Hi Mahara Security Team,

I have found a Critical Click Jacking vulnerability in Mahara's websites
following url https://mahara.org/account/delete.php using this
vulnerability an attacker can delete any mahara users account and the
attacker can also bypass any anti-csrf tokens if it is implemented. As this
Url is vulnerable to Click Jacking attack, the X-frame-Options in header
and javascript based framebusting is missing. I have attached the POC
screenshots and demo code for more details.

Ajay

CVE References

Hugh Davenport (hugh-davenport) wrote :
Changed in mahara:
status: Confirmed → In Progress

Hi,

Thanks for the updates.

Regards!

Ajay Singh Negi.

On Fri, Sep 28, 2012 at 5:24 AM, Launchpad Bug Tracker <
<email address hidden>> wrote:

> *** This bug is a security vulnerability ***
>
> You have been subscribed to a private security bug by Hugh Davenport
> (hugh-catalyst):
>
> Hi Mahara Security Team,
>
> I have found a Critical Click Jacking vulnerability in Mahara's websites
> following url https://mahara.org/account/delete.php using this
> vulnerability an attacker can delete any mahara users account and the
> attacker can also bypass any anti-csrf tokens if it is implemented. As this
> Url is vulnerable to Click Jacking attack, the X-frame-Options in header
> and javascript based framebusting is missing. I have attached the POC
> screenshots and demo code for more details.
>
> Ajay
>
> ** Affects: mahara
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.4
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.5
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
>
> ** Tags: security
> --
> Click-Jacking attack on user account self-deletion page
> https://bugs.launchpad.net/bugs/1057240
> You received this bug notification because you are subscribed to the bug
> report.
>

Hi,

Thanks for providing the information.

Regards!

Ajay Singh Negi.

On 9/28/12, Launchpad Bug Tracker <email address hidden> wrote:
> *** This bug is a security vulnerability ***
>
> You have been subscribed to a private security bug by Hugh Davenport
> (hugh-catalyst):
>
> Hi Mahara Security Team,
>
> I have found a Critical Click Jacking vulnerability in Mahara's websites
> following url https://mahara.org/account/delete.php using this
> vulnerability an attacker can delete any mahara users account and the
> attacker can also bypass any anti-csrf tokens if it is implemented. As this
> Url is vulnerable to Click Jacking attack, the X-frame-Options in header
> and javascript based framebusting is missing. I have attached the POC
> screenshots and demo code for more details.
>
> Ajay
>
> ** Affects: mahara
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.4
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.5
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
>
> ** Tags: security
> --
> Click-Jacking attack on user account self-deletion page
> https://bugs.launchpad.net/bugs/1057240
> You received this bug notification because you are subscribed to the bug
> report.
>

Melissa Draper (melissa) on 2012-10-10
visibility: private → public
Changed in mahara:
status: In Progress → Fix Released

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 status fixreleased
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iJwEAQECAAYFAlCbHO8ACgkQuMoJ2LQ3zxH8TAP/YN4BiCJZsn5a899/0UzV31Qg
lM8LXAwZWa6zFv6t0BQUHCqe6eFK9wPp51qgCWWXjUZ3vvvVcsyeWp6626aBFKSU
pCQXI9E7huPw802nJQ9WcZXRBUmgw87ww72Tx4mybnu7SPSrkZgXdnPGSMwDs89N
oWvTpl7Xuac48e6p0lU=
=ouU+
-----END PGP SIGNATURE-----

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers