Comment 2 for bug 1057240
Revision history for this message
| Ajay Singh Negi (ajaysinghnegi01) wrote Re: [Bug 1057240] [NEW] Click-Jacking attack on user account self-deletion page | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Hi,
Thanks for the updates.
Regards!
Ajay Singh Negi.
On Fri, Sep 28, 2012 at 5:24 AM, Launchpad Bug Tracker <
<email address hidden>> wrote:
> *** This bug is a security vulnerability ***
>
> You have been subscribed to a private security bug by Hugh Davenport
> (hugh-catalyst):
>
> Hi Mahara Security Team,
>
> I have found a Critical Click Jacking vulnerability in Mahara's websites
> following url https:/
> vulnerability an attacker can delete any mahara users account and the
> attacker can also bypass any anti-csrf tokens if it is implemented. As this
> Url is vulnerable to Click Jacking attack, the X-frame-Options in header
> and javascript based framebusting is missing. I have attached the POC
> screenshots and demo code for more details.
>
> Ajay
>
> ** Affects: mahara
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.4
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.5
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
>
> ** Tags: security
> --
> Click-Jacking attack on user account self-deletion page
> https:/
> You received this bug notification because you are subscribed to the bug
> report.
>