** Changed in: mahara/1.5
Milestone: None => 1.5.4
** Visibility changed to: Public
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1057240
Title:
Click-Jacking attack on user account self-deletion page
Status in Mahara ePortfolio:
In Progress
Status in Mahara 1.4 series:
In Progress
Status in Mahara 1.5 series:
In Progress
Bug description:
Hi Mahara Security Team,
I have found a Critical Click Jacking vulnerability in Mahara's websites
following url https://mahara.org/account/delete.php using this
vulnerability an attacker can delete any mahara users account and the
attacker can also bypass any anti-csrf tokens if it is implemented. As this
Url is vulnerable to Click Jacking attack, the X-frame-Options in header
and javascript based framebusting is missing. I have attached the POC
screenshots and demo code for more details.
Ajay
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1057240/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : [email protected]
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
