View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001535 | Main CAcert Website | certificate issuing | public | 2021-11-11 20:49 | 2021-11-28 22:10 |
Reporter | L10N | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | new | Resolution | open | ||
Platform | Main CAcert Website | OS | N/A | OS Version | stable |
Summary | 0001535: CSRF Token not being validated | ||||
Description | I'm Monsef djouadi a security researcher from Algeria , i created an account in your website and i've been And suddenly i found a security vulnerability which is CSRF Token not being validated in request of editing account which leads to account takeover I hope you fix that vulnerability to make web a safe place. | ||||
Additional Information | Transmission of Bug submitted by Facebook. | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
|
Contribution by Ted on the mailing list: probably it would make sense to ask for a detailed step-by-step procedure on how to reproduce this problem. The current description is quite vague so it's hard to find the place to look for in detail (or does anyone already know?). I strongly assume that CSRF refers to Cross-Site-Request-Forgery, so probably a specifically prepared web page is needed to exploit this vulnerability. If such a web page could be provided it would greatly help in analysis. |
|
Answer on Facebook / asking for more information: Hello Moncef, I talked with one of our ingeneers. He said, it would make sense to send us a detailed step-by-step procedure on how to reproduce this problem. (you may write in English or French, just what is better for you.) The current description is or him quite vague so it's hard to find the place to look for in detail. He strongly assume that CSRF refers to Cross-Site-Request-Forgery - is he right? So probably a specifically prepared web page is needed to exploit this vulnerability. If such a web page could be provided it would greatly help in analysis. Thank you for telling us about this issues and beeing part of the community. Thank you and best regards, |