URL: https://wiki.mozilla.org/
Browser / Version: Chrome 83.0.4103
Operating System: Linux
Tested Another Browser: Yes Chrome
Problem type: Something else
Description: Privilage escalation using default password
Steps to Reproduce:
Hello Mozill security Team.
During my bug hunting on mozilla.org site.
I found wiki.mozilla.org. This site doesn't allow anonymous users to get admin level access to edit pages. Only the invited or rquested account which has got permission can create account and edit the pages.
I tried to request an account of myself since it doesn't have registration page. I found that my registration request has been purged because of anonymous user requesting for an account.
So i tried to login to the site using default credentials.
Suddenly, I was able to access the higher privilege level that allowed me to edit the webpages, add images etc.
Impact of this issue.
This is a critical issue for Mozilla foundation.
i). An attacker might would have defaced the website.
ii). Any body can edit the webpages and addd explicit, pornographic content, use this website for phishing website leading to massive account takeover.
iii) Delivery of malware,virus, infected mozilla products etc
iv). And An attacker may have ruined the reputation of mozilla foundation.
I hope Security team to have great concern towards this issue.
For the confirmation.
i have edited the webpage https://wiki.mozilla.org/Releases
and added phishing-site.com instead of original site added by admin.
And i have also added an image depicting defaced website.
Three POC have been submitted in order to confirm the BUG.
If you want i will securely deliver the credentials i used to deface the site.
For contact: I am adding my hackerone profile URL
hackerone: https://hackerone.com/aaryan9898?type=user
My original-email : Mahtoshivnath07gmail.com
email-used-while-submitting-bug: Mahtoshivnath702@gmail.com
twitter: https://twitter.com/Aaryan076?s=01
For more information related to bug.
Contact me on above mentioned addresses.
Thank you.
I hope mozilla security team would look into this issue as soon as possible.
View the screenshot
Browser Configuration
From webcompat.com with ❤️
URL: https://wiki.mozilla.org/
Browser / Version: Chrome 83.0.4103
Operating System: Linux
Tested Another Browser: Yes Chrome
Problem type: Something else
Description: Privilage escalation using default password
Steps to Reproduce:
Hello Mozill security Team.
During my bug hunting on mozilla.org site.
I found wiki.mozilla.org. This site doesn't allow anonymous users to get admin level access to edit pages. Only the invited or rquested account which has got permission can create account and edit the pages.
I tried to request an account of myself since it doesn't have registration page. I found that my registration request has been purged because of anonymous user requesting for an account.
So i tried to login to the site using default credentials.
Suddenly, I was able to access the higher privilege level that allowed me to edit the webpages, add images etc.
Impact of this issue.
This is a critical issue for Mozilla foundation.
i). An attacker might would have defaced the website.
ii). Any body can edit the webpages and addd explicit, pornographic content, use this website for phishing website leading to massive account takeover.
iii) Delivery of malware,virus, infected mozilla products etc
iv). And An attacker may have ruined the reputation of mozilla foundation.
I hope Security team to have great concern towards this issue.
For the confirmation.
i have edited the webpage https://wiki.mozilla.org/Releases
and added phishing-site.com instead of original site added by admin.
And i have also added an image depicting defaced website.
Three POC have been submitted in order to confirm the BUG.
If you want i will securely deliver the credentials i used to deface the site.
For contact: I am adding my hackerone profile URL
hackerone: https://hackerone.com/aaryan9898?type=user
My original-email : Mahtoshivnath07gmail.com
email-used-while-submitting-bug: Mahtoshivnath702@gmail.com
twitter: https://twitter.com/Aaryan076?s=01
For more information related to bug.
Contact me on above mentioned addresses.
Thank you.
I hope mozilla security team would look into this issue as soon as possible.
View the screenshot
Browser Configuration
From webcompat.com with ❤️