miércoles, 23 de febrero de 2011

:::SPAS3C-WV-006:::Multiple Vulnerabilities in Mozilla Sites



This is old stuff, which i should have posted before, discovered in Mozilla websites several weeks ago:

  • bugzilla.mozilla.org: CSRF (saved searches).
  • creative.mozilla.org: CSRF (user profile).
  • developer.mozilla.org: Plain text password disclosure.
I will provide some details about them.

1. CSRF (saved searches) in bugzilla.mozilla.org

PoC: http://pastebin.com/63H2YtMd

Sec-Severity: Low/Medium


Description: Saved searches for bugzilla user's panel are not protected against CSRF attacks and it could be used to add bullshit.

This vulnerability affects to Bugzilla (bug tracking system of mozilla foundation) <= 3.2.9, 3.4.9, 3.6.3, and 4.0rc1
Reference: http://www.bugzilla.org/security/3.2.9/

Screenshot:

Fig.1: Launching the CSRF exploit


Fig.2: Exploit executed succesfully

2. CSRF (user profile) in creative.mozilla.org

PoC: http://pastebin.com/0r1MyvVv

Sec-Severity: Critical

CVE: N/A

Description: User profile could be changed using a CSRF attack.

Screenshot:

Fig.3: CSRF (user profile) in create.mozilla.org

3. Plain text password disclosure in developer.mozilla.org

PoC: Register to developer.mozilla.org and then, come back to check your mail. This site sent your password in plain text.

Sec-Severity: High

CVE: N/A

Description: MDC sent your password in plain text.

Screenshot:


Fig.4: Plain text password disclosure

And yep, my MDC password contains an "e".

On the other hand, Mozilla security team solves these issues quickly.
That's all. Be safe ;)