620911 - developers can delete previews of addons that don't own addons.mozilla.org

Status: RESOLVED FIXED

(addons.mozilla.org Graveyard :: Public Pages, defect)

Description

[Ervis Tusha]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13
Build Identifier: 

https://addons.mozilla.org/en-US/developers/previews/264283/

click on delete one previews 

tamper data 
change
name="data[Preview][Delete][99999]

to new id
name="data[Preview][Delete][11111]
submit


sorry but i have delete 
https://addons.mozilla.org/en-US/firefox/addon/3456/
i have delete 

Reproducible: Always

Comment 1

[Ervis Tusha]

i have mail to security@mozilla.org the file i have delete 

this should be checked carefully because maybe developers can delete addons or upload addons that dont own

Comment 2

[Ervis Tusha]

upload and delete seems protected (i mean check if have right to upload/delete )

later i will check if can upload preview or can add owner do some one else 


I have create Demo account not delete anything :)

Comment 3

[David Chan [:dchan]]

Can you clarify the bug? The title implies that any developer can delete another user's addon. Comment #2 seems to imply otherwise.

My interpretation from the comments is that upload/delete for addons checks ownership/permissions. Currently you are looking into ways upload previews as another user and whether it is possible modify an addon's owner list. Is this correct?

Comment 4

[Ervis Tusha]

1. developers can delete previews of addons that dont own addons.mozilla.org 
2. i told may same bug developer can delete addons 
3. I have run some test and seems secure developer can NOT delete/upload or add new owner for addons that do NOT own

Comment 5

[David Chan [:dchan]]

Thanks for the clarification. I have reproduced the bug. 

STR.
1. https://addons.mozilla.org/en-US/developers/previews/xxxxx/ where xxxxx is an addon you have owner permissions on
2. Add a preview image if you haven't already
3. Click Delete Preview
4. Click Update Previews
5. Modify the POST field 
name="data[Preview][Delete][target_id]
to you desired target_id
6. If you supplied a valid id, you should see
Your previews have been updated successfully.
Preview target_id has been deleted successfully.
Please note that some changes may take several hours to appear in all areas of the website.


The problem appears to be in previews_controller.php

http://viewvc.svn.mozilla.org/vc/addons/trunk/site/app/controllers/previews_controller.php?revision=51431&view=markup

L210 checks that the current user can modify the current addon before calling _delete() on L217

_delete() also performs an addon ownership check. The code doesn't check that the current user can modify the supplied preview id. 


Suggested remediation
Check that the supplied preview_id is a preview for the current addon

Comment 7

[Ervis Tusha]

@David yes that the right thing to do check if preview belong the current addon 

Sorry for my misspelling  I was tired and write fast I had bad internet connection

Comment 8

[Wil Clouser [:clouserw]]

I've disabled the script completely.  This is all old code and was replaced by the new developer tools.

Comment 9

[Michael Coates [:mcoates] (acct no longer active)]

Comment on attachment 499423 [details]
Web Bounty Awarded + 500 [paid]

Recommend non-qual: Deleting preview causes minimal damage to users.

Comment 10

[Daniel Veditz [:dveditz]]

Comment on attachment 499423 [details]
Web Bounty Awarded + 500 [paid]

Not too bad an attack (can restore from backups) but annoying and can reduce trust in the site.