Click-Jacking attack on user account self-deletion page
Bug #1057240 reported by
Hugh Davenport
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Hugh Davenport | ||
1.4 |
Fix Released
|
High
|
Hugh Davenport | ||
1.5 |
Fix Released
|
High
|
Hugh Davenport |
Bug Description
Hi Mahara Security Team,
I have found a Critical Click Jacking vulnerability in Mahara's websites
following url https:/
vulnerability an attacker can delete any mahara users account and the
attacker can also bypass any anti-csrf tokens if it is implemented. As this
Url is vulnerable to Click Jacking attack, the X-frame-Options in header
and javascript based framebusting is missing. I have attached the POC
screenshots and demo code for more details.
Ajay
CVE References
visibility: | private → public |
Changed in mahara: | |
status: | In Progress → Fix Released |
To post a comment you must log in.
Hi,
Thanks for the updates.
Regards!
Ajay Singh Negi.
On Fri, Sep 28, 2012 at 5:24 AM, Launchpad Bug Tracker <
<email address hidden>> wrote:
> *** This bug is a security vulnerability *** /mahara. org/account/ delete. php using this /bugs.launchpad .net/bugs/ 1057240
>
> You have been subscribed to a private security bug by Hugh Davenport
> (hugh-catalyst):
>
> Hi Mahara Security Team,
>
> I have found a Critical Click Jacking vulnerability in Mahara's websites
> following url https:/
> vulnerability an attacker can delete any mahara users account and the
> attacker can also bypass any anti-csrf tokens if it is implemented. As this
> Url is vulnerable to Click Jacking attack, the X-frame-Options in header
> and javascript based framebusting is missing. I have attached the POC
> screenshots and demo code for more details.
>
> Ajay
>
> ** Affects: mahara
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.4
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.5
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
>
> ** Tags: security
> --
> Click-Jacking attack on user account self-deletion page
> https:/
> You received this bug notification because you are subscribed to the bug
> report.
>