Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 472396

Summary: [security] LEAKING PASSWORD RESET TOKEN VIA REFERRER
Product: Community Reporter: Christopher Guindon <chris.guindon>
Component: WebsiteAssignee: Christopher Guindon <chris.guindon>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P2 CC: russellaurio12
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Mac OS X   
See Also: https://git.eclipse.org/r/84697
https://git.eclipse.org/r/84698
https://git.eclipse.org/c/www.eclipse.org/eclipse.org-common.git/commit/?id=376e7a81f2a9221e9c4f583675fb10306748b41a
https://git.eclipse.org/c/websites/dev.eclipse.org.git/commit/?id=3b33cd4bd824f47aa2f0a2200bd2f0dffb9cbb0c
https://git.eclipse.org/r/84829
https://git.eclipse.org/r/84830
https://git.eclipse.org/c/websites/dev.eclipse.org.git/commit/?id=7916e1696532cf6a5eaa4d429b210faf92482bf8
https://git.eclipse.org/c/www.eclipse.org/eclipse.org-common.git/commit/?id=70485bdd773dfcb30a7d41ef768e9a24b4ab06e2
Whiteboard:
Attachments:
Description Flags
Screenshot of HTTP headres none

Description Christopher Guindon CLA 2015-07-10 12:54:40 EDT 
Created attachment 255121 [details]
Screenshot of HTTP headres

Hello, i notice that you are leaking your user's password reset token if he/she clicks on external links.

Steps:
1.)REQUEST A PASSWORD RESET TOKEN FOR YOUR ACCOUNT
2.LOAD THE TOKEN
3.)Click on external links such as fb,google plus and view your referrer, it is your own token.

Kindly take a look sir

This is exploitable on domains where we have links to on the password reset page.

For example, in the footer we have links to fb, google, twiiter, youtube.

We also have external links in the more menu to youtube. I think we need to create a flag on solstice where we can hide external links for specific pages like the password reset page.

We also have external links to polarsys and other website that we own. Since we own these site, I am not really worried about them.

Another solution is to require the user to copy and paste the token in the password reset form. We would need to include a input field for the token on that page.
Comment 1 Eclipse Genie CLA 2016-11-08 15:24:53 EST 
New Gerrit change created: https://git.eclipse.org/r/84697
Comment 2 Eclipse Genie CLA 2016-11-08 15:25:06 EST 
New Gerrit change created: https://git.eclipse.org/r/84698
Comment 5 Christopher Guindon CLA 2016-11-10 12:57:59 EST 
We are almost done here. I just noticed that we still have a link to youtube in the main menu.

We should also remove the google search at the top of this page.
Comment 6 Eclipse Genie CLA 2016-11-10 13:10:52 EST 
New Gerrit change created: https://git.eclipse.org/r/84829
Comment 7 Eclipse Genie CLA 2016-11-10 13:11:34 EST 
New Gerrit change created: https://git.eclipse.org/r/84830
Comment 10 Christopher Guindon CLA 2016-11-10 13:23:07 EST 
We are done here:
https://dev.eclipse.org/site_login/password_recovery.php

I've removed the search, replaced our default footer with a simple one and removed the more menu from this page.