Closed
Bug 620911
Opened 14 years ago
Closed 13 years ago
developers can delete previews of addons that don't own addons.mozilla.org
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
addons.mozilla.org Graveyard
Public Pages
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: ervistusha, Unassigned)
References
()
Details
(Keywords: sec-moderate, wsec-authorization, Whiteboard: [infrasec:access][ws:moderate])
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 Build Identifier: https://addons.mozilla.org/en-US/developers/previews/264283/ click on delete one previews tamper data change name="data[Preview][Delete][99999] to new id name="data[Preview][Delete][11111] submit sorry but i have delete https://addons.mozilla.org/en-US/firefox/addon/3456/ i have delete Reproducible: Always
Reporter | ||
Comment 1•14 years ago
|
||
i have mail to security@mozilla.org the file i have delete this should be checked carefully because maybe developers can delete addons or upload addons that dont own
Reporter | ||
Comment 2•14 years ago
|
||
upload and delete seems protected (i mean check if have right to upload/delete ) later i will check if can upload preview or can add owner do some one else I have create Demo account not delete anything :)
Updated•14 years ago
|
Group: websites-security → client-services-security
Component: Other → Public Pages
Product: Websites → addons.mozilla.org
QA Contact: other → web-ui
Comment 3•14 years ago
|
||
Can you clarify the bug? The title implies that any developer can delete another user's addon. Comment #2 seems to imply otherwise. My interpretation from the comments is that upload/delete for addons checks ownership/permissions. Currently you are looking into ways upload previews as another user and whether it is possible modify an addon's owner list. Is this correct?
Reporter | ||
Comment 4•14 years ago
|
||
1. developers can delete previews of addons that dont own addons.mozilla.org 2. i told may same bug developer can delete addons 3. I have run some test and seems secure developer can NOT delete/upload or add new owner for addons that do NOT own
Summary: developers can delete previews of addons that dont own addons.mozilla.org → developers can delete previews of addons that don't own addons.mozilla.org
Comment 5•14 years ago
|
||
Thanks for the clarification. I have reproduced the bug. STR. 1. https://addons.mozilla.org/en-US/developers/previews/xxxxx/ where xxxxx is an addon you have owner permissions on 2. Add a preview image if you haven't already 3. Click Delete Preview 4. Click Update Previews 5. Modify the POST field name="data[Preview][Delete][target_id] to you desired target_id 6. If you supplied a valid id, you should see Your previews have been updated successfully. Preview target_id has been deleted successfully. Please note that some changes may take several hours to appear in all areas of the website. The problem appears to be in previews_controller.php http://viewvc.svn.mozilla.org/vc/addons/trunk/site/app/controllers/previews_controller.php?revision=51431&view=markup L210 checks that the current user can modify the current addon before calling _delete() on L217 _delete() also performs an addon ownership check. The code doesn't check that the current user can modify the supplied preview id. Suggested remediation Check that the supplied preview_id is a preview for the current addon
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [infrasec:access][ws:moderate]
Reporter | ||
Comment 7•14 years ago
|
||
@David yes that the right thing to do check if preview belong the current addon Sorry for my misspelling I was tired and write fast I had bad internet connection
Comment 8•13 years ago
|
||
I've disabled the script completely. This is all old code and was replaced by the new developer tools.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 9•13 years ago
|
||
Comment on attachment 499423 [details]
Web Bounty Awarded + 500 [paid]
Recommend non-qual: Deleting preview causes minimal damage to users.
Comment 10•13 years ago
|
||
Comment on attachment 499423 [details]
Web Bounty Awarded + 500 [paid]
Not too bad an attack (can restore from backups) but annoying and can reduce trust in the site.
Updated•11 years ago
|
Flags: sec-bounty+
Updated•9 years ago
|
Keywords: sec-moderate,
wsec-authorization
Assignee | ||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
Updated•7 years ago
|
Group: client-services-security
You need to log in
before you can comment on or make changes to this bug.
Description
•