Vulnerability Report:

Eion Robb eion at
Thu Sep 4 17:07:23 EDT 2014

The __FORM_TOKEN post parameter comes from the trac_form_token cookie, and
appears to be used as a form of XSRF-protection, nothing more.  If you
disagree, I'd suggest you email Trac to let them know.

On 5 September 2014 08:52, Asim Shahzad <protector_47 at> wrote:

> Hi,
> Sir i found a Vulnerability on
> Caption:
> Token Validation!
> Environmental Information:
> Browser: Mozilla Firefox 31.0
> Operating System: Windows 7 32-bits
> Tool: live HTTP headers 0.17
> Vulnerable URL:
> Tool description:
> 1.To find this Vulnerability i use "live HTTP headers".
> 2.Which is an add-on of Mozilla Firefox.
> 3.It is use to capture any registration or any request.Also it provide
> options to edit any request manually and then resend the edited request.
> 4.You just have to add this add-on in Mozilla Firefox.
> 5.If you want capture any request then you have to open "live HTTP
> headers" from Menu bar  >> tools >>   live HTTP headers and mark check on
> the capture box then all activities will capture.
> Bug description:
> 1. have Register all users on same  token,
> Which is:
> 1f0e1c1e81c865798e2aa21
> 2.Token is not Validating with registration.
> Steps to Reproduce:
> 1.First you have to add an add-on "live HTTP headers 0.17"
> 2.This is an add-on of Mozilla Firefox
> 3.Which is use to capture any registration request.
> 4.Then Register an account on
> 5.After fill up the sign up form do not click on "Create account" button.
> First you have to open "live HTTP headers" from Menu bar >> tools >> Live
> HTTP headers and mark check on capture box.
> 6.Now click on "Create account" button "Live HTTP headers" have captured
> your registration request.
> 7.Find this link on the captured request.
> 8.Select this link by single click then click on replay button and then
> you will see another window in which there is an  token. Copy the token on
> notepad.
> token will mentioned in the captured request
> Like this:
> __FORM_TOKEN=1f0e1c1e81c865798e2aa21
> 9.Now register second account >> capture the request >> and then copy the
> 2nd account's token on the notepad.Then compare both tokens with each other
> both will be same.
> 1f0e1c1e81c865798e2aa21
> 10.This is the token at which all user's have Registered.
> Additional Information:
> 1.It is too harmful.Because in this situation any of bot/hackers can able
> to register unlimited Registration with same  token.
> 2.Also There is a warning from brute force attack!
> You will further understood after watching attached video.
> Fix it as soon as possible!
> Thank you.
> The Security Researcher.
> M.Asim Shahzad.
> _______________________________________________
> security mailing list
> security at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security mailing list