Page MenuHomePhabricator

Support CSRF for logged-out users
Closed, ResolvedPublic

Description

See https://hackerone.com/reports/774. A researcher reports that you can CSRF the login form for a logged-out user. That is, if you know the username and password of a Phabricator account, you can execute a targeted attack which logs a victim in with those credentials by having them visit a page which submits a login form on their behalf. (They must not already be logged in to another account.)

I think this is really scraping the bottom of the barrel in terms of legitimacy, but does represent a capability escalation and isn't an attack I was cognizant of (the lack of logged-out CSRF is known, but not threatening in other cases). I'm going to award this as legitimate and fix it.

Event Timeline

epriestley claimed this task.
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added projects: Auth, Security.
epriestley added subscribers: epriestley, btrahan, chad.
epriestley edited this Maniphest Task.Jan 23 2014, 4:32 PM
epriestley edited this Maniphest Task.Jan 23 2014, 5:35 PM
epriestley edited this Maniphest Task.Jan 23 2014, 6:18 PM
epriestley edited this Maniphest Task.Jan 23 2014, 7:21 PM
epriestley edited this Maniphest Task.
epriestley edited this Maniphest Task.Jan 23 2014, 7:25 PM
epriestley edited this Maniphest Task.Jan 23 2014, 10:01 PM
epriestley edited this Maniphest Task.
epriestley edited this Maniphest Task.
epriestley edited this Maniphest Task.Jan 23 2014, 10:03 PM
epriestley edited this Maniphest Task.
epriestley closed this task as Resolved.Jan 23 2014, 10:03 PM

Closed by commit rPf9ac534f255d.

epriestley edited this Maniphest Task.Jan 23 2014, 10:14 PM
epriestley edited this Maniphest Task.Jan 23 2014, 10:18 PM