miércoles, 23 de febrero de 2011

:::SPAS3C-WV-006:::Multiple Vulnerabilities in Mozilla Sites

This is old stuff, which i should have posted before, discovered in Mozilla websites several weeks ago:

  • bugzilla.mozilla.org: CSRF (saved searches).
  • creative.mozilla.org: CSRF (user profile).
  • developer.mozilla.org: Plain text password disclosure.
I will provide some details about them.

1. CSRF (saved searches) in bugzilla.mozilla.org

PoC: http://pastebin.com/63H2YtMd

Sec-Severity: Low/Medium

Description: Saved searches for bugzilla user's panel are not protected against CSRF attacks and it could be used to add bullshit.

This vulnerability affects to Bugzilla (bug tracking system of mozilla foundation) <= 3.2.9, 3.4.9, 3.6.3, and 4.0rc1
Reference: http://www.bugzilla.org/security/3.2.9/


Fig.1: Launching the CSRF exploit

Fig.2: Exploit executed succesfully

2. CSRF (user profile) in creative.mozilla.org

PoC: http://pastebin.com/0r1MyvVv

Sec-Severity: Critical


Description: User profile could be changed using a CSRF attack.


Fig.3: CSRF (user profile) in create.mozilla.org

3. Plain text password disclosure in developer.mozilla.org

PoC: Register to developer.mozilla.org and then, come back to check your mail. This site sent your password in plain text.

Sec-Severity: High


Description: MDC sent your password in plain text.


Fig.4: Plain text password disclosure

And yep, my MDC password contains an "e".

On the other hand, Mozilla security team solves these issues quickly.
That's all. Be safe ;)