mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-20 20:40:56 +01:00
No description
152f05aebe
Summary: Via HackerOne, there are two related low-severity issues with this workflow: - We don't check if you're already logged in, so an attacker can trick a victim (whether they're logged in or not) into clicking a reset link for an account the attacker controls (maybe via an invisible iframe) and log the user in under a different account. - We don't check CSRF tokens either, so after fixing the first thing, an attacker can still trick a //logged-out// victim in the same way. It's not really clear that doing this opens up any significant attacks afterward, but both of these behaviors aren't good. I'll probably land this for audit in a few hours if @btrahan doesn't have a chance to take a look at it since he's probably on a plane for most of the day, I'm pretty confident it doesn't break anything. Test Plan: - As a logged-in user, clicked another user's password reset link and was not logged in. - As a logged-out user, clicked a password reset link and needed to submit a form to complete the workflow. Reviewers: btrahan CC: chad, btrahan, aran Differential Revision: https://secure.phabricator.com/D8079 |
||
|---|---|---|
| bin | ||
| conf | ||
| externals | ||
| resources | ||
| scripts | ||
| src | ||
| support | ||
| webroot | ||
| .arcconfig | ||
| .divinerconfig | ||
| .editorconfig | ||
| .gitignore | ||
| LICENSE | ||
| NOTICE | ||
| README | ||
Phabricator is an open source collection of web applications which help software companies build better software. Phabricator includes applications for: - reviewing and auditing source code; - hosting and browsing repositories; - assembling a party to venture forth; - tracking bugs; - hiding stuff from coworkers; and - also some other things. You can learn more about the project (and find links to documentation and resources) here: http://phabricator.org/ Phabricator is developed and maintained by Phacility. The first version of Phabricator was originally built at Facebook. LICENSE Phabricator is released under the Apache 2.0 license except as otherwise noted.