mahara-contributors team mailing list archive

Thread
Date

[Bug 1057240] Re: Click-Jacking attack on user account self-deletion page

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Melissa Draper <melissa@xxxxxxxxxxxxx>
Date: Wed, 10 Oct 2012 03:08:46 -0000
Reply-to: Bug 1057240 <1057240@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara/1.5
    Milestone: None => 1.5.4

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1057240

Title:
  Click-Jacking attack on user account self-deletion page

Status in Mahara ePortfolio:
  In Progress
Status in Mahara 1.4 series:
  In Progress
Status in Mahara 1.5 series:
  In Progress

Bug description:
  Hi Mahara Security Team,

  I have found a Critical Click Jacking vulnerability in Mahara's websites
  following url https://mahara.org/account/delete.php using this
  vulnerability an attacker can delete any mahara users account and the
  attacker can also bypass any anti-csrf tokens if it is implemented. As this
  Url is vulnerable to Click Jacking attack, the X-frame-Options in header
  and javascript based framebusting is missing. I have attached the POC
  screenshots and demo code for more details.

  Ajay

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1057240/+subscriptions