Click-Jacking attack on user account self-deletion page

Bug #1057240 reported by Hugh Davenport
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Hugh Davenport
1.4
Fix Released
High
Hugh Davenport
1.5
Fix Released
High
Hugh Davenport

Bug Description

Hi Mahara Security Team,

I have found a Critical Click Jacking vulnerability in Mahara's websites
following url https://mahara.org/account/delete.php using this
vulnerability an attacker can delete any mahara users account and the
attacker can also bypass any anti-csrf tokens if it is implemented. As this
Url is vulnerable to Click Jacking attack, the X-frame-Options in header
and javascript based framebusting is missing. I have attached the POC
screenshots and demo code for more details.

Ajay

Tags: security

CVE References

Revision history for this message
Hugh Davenport (hugh-davenport) wrote :
Changed in mahara:
status: Confirmed → In Progress
Revision history for this message
Ajay Singh Negi (ajaysinghnegi01) wrote : Re: [Bug 1057240] [NEW] Click-Jacking attack on user account self-deletion page

Hi,

Thanks for the updates.

Regards!

Ajay Singh Negi.

On Fri, Sep 28, 2012 at 5:24 AM, Launchpad Bug Tracker <
<email address hidden>> wrote:

> *** This bug is a security vulnerability ***
>
> You have been subscribed to a private security bug by Hugh Davenport
> (hugh-catalyst):
>
> Hi Mahara Security Team,
>
> I have found a Critical Click Jacking vulnerability in Mahara's websites
> following url https://mahara.org/account/delete.php using this
> vulnerability an attacker can delete any mahara users account and the
> attacker can also bypass any anti-csrf tokens if it is implemented. As this
> Url is vulnerable to Click Jacking attack, the X-frame-Options in header
> and javascript based framebusting is missing. I have attached the POC
> screenshots and demo code for more details.
>
> Ajay
>
> ** Affects: mahara
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.4
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.5
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
>
> ** Tags: security
> --
> Click-Jacking attack on user account self-deletion page
> https://bugs.launchpad.net/bugs/1057240
> You received this bug notification because you are subscribed to the bug
> report.
>

Revision history for this message
Ajay Singh Negi (ajaysinghnegi01) wrote :

Hi,

Thanks for providing the information.

Regards!

Ajay Singh Negi.

On 9/28/12, Launchpad Bug Tracker <email address hidden> wrote:
> *** This bug is a security vulnerability ***
>
> You have been subscribed to a private security bug by Hugh Davenport
> (hugh-catalyst):
>
> Hi Mahara Security Team,
>
> I have found a Critical Click Jacking vulnerability in Mahara's websites
> following url https://mahara.org/account/delete.php using this
> vulnerability an attacker can delete any mahara users account and the
> attacker can also bypass any anti-csrf tokens if it is implemented. As this
> Url is vulnerable to Click Jacking attack, the X-frame-Options in header
> and javascript based framebusting is missing. I have attached the POC
> screenshots and demo code for more details.
>
> Ajay
>
> ** Affects: mahara
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.4
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
> ** Affects: mahara/1.5
> Importance: High
> Assignee: Hugh Davenport (hugh-catalyst)
> Status: In Progress
>
>
> ** Tags: security
> --
> Click-Jacking attack on user account self-deletion page
> https://bugs.launchpad.net/bugs/1057240
> You received this bug notification because you are subscribed to the bug
> report.
>

Melissa Draper (melissa)
visibility: private → public
Changed in mahara:
status: In Progress → Fix Released
Revision history for this message
Hugh Davenport (hugh-davenport) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 status fixreleased
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iJwEAQECAAYFAlCbHO8ACgkQuMoJ2LQ3zxH8TAP/YN4BiCJZsn5a899/0UzV31Qg
lM8LXAwZWa6zFv6t0BQUHCqe6eFK9wPp51qgCWWXjUZ3vvvVcsyeWp6626aBFKSU
pCQXI9E7huPw802nJQ9WcZXRBUmgw87ww72Tx4mybnu7SPSrkZgXdnPGSMwDs89N
oWvTpl7Xuac48e6p0lU=
=ouU+
-----END PGP SIGNATURE-----

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.