Closed
Bug 1380982
Opened 7 years ago
Closed 7 years ago
Misconfigured AWS S3 Bucket [vmimages.mozilla.net]
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: ehsandeepsingh, Unassigned)
References
()
Details
(Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(1 file)
An random authenticated AWS CLI users, can list/download the content in some cases, which is not expected behavior.
Step to reproduce: aws s3 ls s3://vmimages.mozilla.net --recursive --region us-west-2 hit following comment on the machine where aws cli is installed, you can content get listed.
Flags: sec-bounty?
Thanks for the report Ehsan! I'm getting an Access Denied error: » aws s3 ls s3://vmimages.mozilla.net --recursive --region us-west-2 An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied Do you have any credentials configured for aws cli? I'm going to close this a invalid for now, but will reopen if I can reproduce it.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
|
Reporter | |
Comment 2•7 years ago
|
||
Hey, yes i have setup my aws cli using token and and secret, and as i mentioned in report as well "authenticated AWS CLI user". so you can use you any account, and once you setup your aws CLI, hit the above cmd and you should see the result.
Right, I'm still getting AccessDenied when I run: aws s3 ls s3://vmimages.mozilla.net --recursive --region us-west-2
|
|
Reporter | |
Comment 4•7 years ago
|
||
Hey, am not sure what wrong happening at your side, but still here i made video poc if that helps!
>> https://dl.dropboxusercontent.com/s/zgdgb42qitwlalt/2017-07-24_13-40-29.mp4Thanks Ehsan, as far as I can tell those images are supposed to be public: https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Using_the_VM links to http://vmimages.mozilla.net/ovf/FirefoxBuildEnv.ova and https://bugzilla.mozilla.org/show_bug.cgi?id=963619#c11 mentions http://vmimages.mozilla.net/vagrant/kuma-ubuntu-20140128.box
See Also: → 963619
OK I was able to reproduce the issue as reported by copying keys from an existing profile in ~/.aws/credentials and running AWS_PROFILE=$copied_profile aws s3 ls s3://vmimages.mozilla.net --recursive --region us-west-2
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•