Comment 2 for bug 1057240

Revision history for this message
Ajay Singh Negi (ajaysinghnegi01) wrote : Re: [Bug 1057240] [NEW] Click-Jacking attack on user account self-deletion page

Hi,

Thanks for the updates.

Regards!

Ajay Singh Negi.

On Fri, Sep 28, 2012 at 5:24 AM, Launchpad Bug Tracker <
<email address hidden>> wrote:

> *** This bug is a security vulnerability ***
>
> You have been subscribed to a private security bug by Hugh Davenport
> (hugh-catalyst):
>
> Hi Mahara Security Team,
>
> I have found a Critical Click Jacking vulnerability in Mahara's websites
> following url https://mahara.org/account/delete.php using this
> vulnerability an attacker can delete any mahara users account and the
> attacker can also bypass any anti-csrf tokens if it is implemented. As this
> Url is vulnerable to Click Jacking attack, the X-frame-Options in header
> and javascript based framebusting is missing. I have attached the POC
> screenshots and demo code for more details.
>
> Ajay
>
> ** Affects: mahara
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.4
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.5
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
>
> ** Tags: security
> --
> Click-Jacking attack on user account self-deletion page
> https://bugs.launchpad.net/bugs/1057240
> You received this bug notification because you are subscribed to the bug
> report.
>