Hei, How you doing ?
just found another bug on Invitation Process. This one is really interesting!
With this bug, Attacker can send invitation request to a project that is even not created yet :p
Process is same as other two issues that i reported earlier, * Just send an **Invitation Request" to a private Project and use the POST Data to reproduce (with Live HTTP Header or any other Request Repeater).
POST : https://www.localize.im/projects/[Project ID] > Host: www.localize.im User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://www.localize.im/projects/[ID] Cookie: PHPSESSID=hp7c6gvbb93nu4o29tim85s3o5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 95
Here, suppose ID of last Project created on Localize is
9a , now as localize application normally works, next ID will be
9b .. (i can be wrong here)
with Live HTTP Header, You can Send Requests to project that is not even created till now.. all you have to do is just change the ID parameter to
9f more and more and send request.
Now when Project with ID
9f will get created, doesn't matter this project is
PRIVATE (because of that bug i reported earlier), there will be an "Invitation Request" awaiting for confirmation.
Hope you will fix this one soon as possible..
Regards and Best Wishes, FaisaL Ahmed