Remote unnotified account deletion

Bug #308288 reported by rafavargas on 2008-12-15
4
Affects Status Importance Assigned to Milestone
sweetter
Critical
danigm

Bug Description

A remote attacker could trick a victim to visit an external website where the malicious Javascript code executes and delete the user account without notifying him if he is currently logged in. I attach a proof of concept file. DON'T OPEN IT IF YOU ARE CURRENTLY LOGGED IN.

rafavargas (rafavargas) wrote :
danigm (danigm) wrote :

This is not a bug, when you open that link you was redirected to destroySelf because there is a session variable that control that you was in destroySelf before delete the account.

Thanks for this bug report.

-------------

He estado haciendo algunas pruebas y no me ha borrado la cuenta, simplemente me ha redirigido a destroySelf. En principio esto estaba contemplado, ya que se usa una variable de sesión como bandera para evitar que se borre una cuenta sin haber pasado por esta página. Solo funciona este enlace si entras en destroySelf una vez y posteriormente entras en esta página sin haber pulsado NO.

De todas formas, muchas gracias por el reporte de bug.

Changed in sweetter:
assignee: nobody → danigm
importance: Undecided → Critical
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments