Published On: 20 Jun 2019
Default credentials in Mozilla Wiki
Other
Mozilla | Web
---
LOW VALIDLike many websites Mozilla use "MediaWiki" in one of their subdomains https://wiki.mozilla.org , "MozillaWiki" is the official public wiki of the Mozilla Project. It serves as the public memory for the Mozilla community, documenting its projects, planning, processes and teams. for more details see https://wiki.mozilla.org /MozillaWiki:About and for more details about "MediaWiki" see https://www.mediawiki.org/wiki/MediaWiki
Description
A lot of developers use default credentials in their web applications for testing purposes as an example and most of the time they forget to delete it, in my case I was able to login in Mozilla wiki using a default credentials with username and password as "test", in addition in "Mozilla wiki" only Authorized accounts have the permissions to access to "Mozilla Wiki", When I logged in as "test user" its asked me to change my password directly so I changed it.
Impact
This allow the attacker to login to "Mozilla Wiki" without Requesting an account, and have the ability to edit the contents of the whole site.
Reproduction Steps
Step
1
Go to https://wiki.mozilla.org/index.php?title=Special:UserLogin&returnto=Special%3ARequestAccount
and enter username and password as "test"
Takeways:
* When it come to login panel always try to test for default credentials like, admin, root, password, administrator..etc * You can try to login without interning any credentials by just hitting the login button (null credentials), see this write up https://medium.com/bugbountywriteup/bypassing-googles-fix-to-access-their-internal-admin-panels-12acd3d821e3
Videos