Closed Bug 1119869 Opened 11 years ago Closed 11 years ago

[sec-high] Unauthorized Shelf Modification

Categories

(Marketplace Graveyard :: Admin Tools, defect)

Product:
Marketplace Graveyard
Component:
Admin Tools
Version:
Avenir
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: amuntner, Unassigned)

References

(
URL
)

Details

It is possible to modify active or inactive Operator Shelves that the authenticated user is not authorized to modify. Further, unauthenticated users can identify all Shelves, whether active or inactive. Identifying shelves: GET /api/v2/feed/shelves/{number}/ HTTP/1.1 The API is designed to return all of the information about all shelves, active or inactive, without authentication. An attacker could iterate through the Shelf numbers and retrieve all information about all shelves. This is not dangerous by itself, but in combination with the other issues, can be used by an attacker to locate the slugs for inactive shelves and then modify them. Modifying shelves: Summary: Modifying shelves is a two-step process: First, the attacker generates a malformed request that copies the shelf record from a user that is provisioned to modify an exclusive set of shelves. This is done by via a malformed request in which the JSON submitted contains the slug for the shelf to be modified, with a country and carrier that the attacker is permitted to modify. In a standard request, the slug name would be in the submitted URL, but the malformed request should not contain the slug in the URL. After that, a similar malformed request can be used to modify the page content. The malformations of the request are that the request type must be POST and that the tag is left out of the request, but included in the JSON. The carrier and country code submitted by the attacker must be ones which the attacker is permitted to modify. The result is that the attacker can modify shelves, active or inactive, created by other users to which they should not have access. Example: With the user amuntner-shelf1@mozilla.com, the attacker creates and activates a shelf named "america_movil_gt" for america_movil in Guatemala. Then as user amuntner-shelf2, which does not have authorization for that carrier, submits POST /api/v2/feed/shelves/?_user=amuntner%2Bshelf2%40mozilla.com%2C{base64 token} HTTP/1.1 Host: marketplace.allizom.org {"apps":[366345],"background_image_upload_url":"http://s3.amazonaws.com/feather-files-aviary-prod-us-east-1/18dd09ec2d40f716/2015-01-08/388bb7a2b8ac4510bdc7a49aa42b8c0d.png","background_image_landing_upload_url":"http://s3.amazonaws.com/feather-files-aviary-prod-us-east-1/18dd09ec2d40f716/2015-01-08/faa4c3140711426c9920df3897dc1c09.png","carrier":"telefonica","description":{"en-US":"america_movil_gt"},"name":{"en-US":"america_movil_gt"},"region":"mx","slug":"america_movil_gt"} after which the shelf appears in the attackers list of shelves. Because the slug is common, the shelves are the same. Modification: POST /api/v2/feed/shelves/?_user=amuntner%2Bshelf2%40mozilla.com%2Cfed8bd2361e06a8693673074ef3c66fe25ac0feed82859d27399f73b139dc5ef806245f142fa7f2a3c5b53691665a0ef1845129ce1b5ccab5e95d268f75b6320%2Cefd96fc3481b410fa743d5eb30221e2a HTTP/1.1 Host: marketplace.allizom.org {"apps":[366345],"background_image_upload_url":"http://s3.amazonaws.com/feather-files-aviary-prod-us-east-1/18dd09ec2d40f716/2015-01-08/388bb7a2b8ac4510bdc7a49aa42b8c0d.png","background_image_landing_upload_url":"http://s3.amazonaws.com/feather-files-aviary-prod-us-east-1/18dd09ec2d40f716/2015-01-08/faa4c3140711426c9920df3897dc1c09.png","carrier":"telefonica","description":{"en-US":"america_movil_gt foo"},"name":{"en-US":"america_movil_gt_2"},"region":"mx","slug":"america_movil_gt_2"} Resolution: The application should verify that a user has permission to modify a shelf before allowing it to be modified.
(edit) the correct usernames are in the requests, not the description: amuntner+shelf1@mozilla.com amuntner+shelf2@mozilla.com
Update: After the first malformed request, the shelf can be modified from the browser.
Fix in: https://github.com/mozilla/zamboni-security/commit/ad1459bda45dc4d00f49c6fac26182046a2dbf58 This will be cherry-picked into the push tomorrow. You'll be able to test the fix on production after that push, which usually finishes around 1:00 PST.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
removing security flags to make bug public, it's fixed
Group: mozilla-employee-confidential, client-services-security
You need to log in before you can comment on or make changes to this bug.