Idor resulting to image deletion in https://support.mozilla.org/
Categories
(support.mozilla.org :: General, defect)
Tracking
(Not tracked)
People
(Reporter: roldanbrandon62, Assigned: lmcardle)
References
()
Details
(Keywords: sec-moderate, wsec-authorization, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Hi. The source code of the platform powering sumo is available in github, https://github.com/mozilla/kitsune. While auditing the code, i found a potential idor that allows any user to potentially delete all the images in the site.
In the function reply, in questions/views.py, if we provided a post parameter delete_images, and if we provide an id of a image in delete_image post parameter, the image with the specified id will be deleted without permission checks.
The line of code is
if "delete_images" in request.POST:
for image_id in request.POST.getlist("delete_image"):
ImageAttachment.objects.get(pk=image_id).delete()
Updated•2 years ago
|
Comment 1•2 years ago
|
||
Hello,
Thank you for your report and bringing this issue to our attention.
I checked the code and I agree that the delete action is not scoped to a particular post or user. I am curious whether you were able to exploit this issue in the application.
Thanks,
Frida
Reporter | ||
Comment 2•2 years ago
|
||
Hi. I havent tested it in the real site yet, because i may cause disturbance. If you give me a permission, i could try it. Thanks
Comment 3•2 years ago
|
||
Thank you for that, I'll wait confirmation from the engineering team on how to move forward.
Reporter | ||
Comment 4•2 years ago
|
||
Hi. I see that kitsune has a staging site. I will try it on there, i assume it will not cause any harm on the real site
Comment 5•2 years ago
|
||
I think so too, I was about to suggest using the staging site but wanted to confirm with the team first. I will let you update you when I get the confirmation. Thanks.
Reporter | ||
Comment 6•2 years ago
|
||
Alright, thanks
Comment 7•2 years ago
|
||
Hello, I have confirmed with the security team that you can test on the staging environment, https://support.allizom.org/.
Thanks,
Frida
Reporter | ||
Comment 8•2 years ago
|
||
Hi. Thanks. I can confirm that the bug exists.
Comment 9•2 years ago
|
||
can you please add more details about the steps to reproduce and the security impact of the bug? Thanks.
Reporter | ||
Comment 10•2 years ago
|
||
Hi. Sure.
Steps To reproduce
- Have two accounts, we will call these two users as user a and user b
- As user a, make a new question, in the question, make a new reply and add an image in the reply
- Take note of the id of the uploaded image
- As user b, reply on the question too, then intercept the request
- In the body of the request, add
&delete_images=true&delete_image=60680
, replace 60680 with the id of the uploaded image of user a. - You will see that the image is deleted directly in the cdn.
Impact:
From what i know, with this bug, an attacker can delete all images in the website that uses the ImageAttachment class
Comment 11•2 years ago
|
||
I wasn't able to reproduce the issue, when I send the below request, I get 500 internal server error and I noticed that you also received the same error in your video:
POST /en-US/questions/<question_id>/reply HTTP/1.1
Host: support.allizom.org
csrfmiddlewaretoken=<token>&content=test+reply+2+%2B+delete&delete_images=true&delete_image=<image_id>
the image is not deleted after I sent the request, I think you might have deleted the image from that comment when you intercepted the request. Can you please try again with a different comment and image?
I am wondering if you can also reproduce this issue on any image from any question, for example can you try to delete the image ID from my question? the ID is 60682
.
Thanks,
Frida
Comment 12•2 years ago
|
||
Please note that the team are currently handling an incident on the site, so it might be better if we continue the investigation tomorrow.
Reporter | ||
Comment 13•2 years ago
|
||
Hi. Yeah, it is kinda wierd. Sometimes i cant get it to work and im still figuring out why. But, im pretty sure the idor exists
Reporter | ||
Comment 14•2 years ago
|
||
Hi. It seems like the image in your question in https://support.allizom.org/en-US/questions/1207214 got deleted. So ig you got it working
Reporter | ||
Comment 15•2 years ago
|
||
I guess it take a while for the images to be fully deleted
Comment 16•2 years ago
|
||
I just tried again to delete another image, I received internal server error, I will leave it for a while to see if the image would be deleted.
Comment 17•2 years ago
|
||
Hello Tasos,
I am wondering if you had a chance to take a look at this report? The issue is that it might be possible for someone to delete other people's images when posting replies to a question. I am also curious what is the use case of deleting images when posting a reply.
Thanks,
Frida
Comment 18•2 years ago
|
||
confirming that the image I deleted using the IDOR in comment 16 was actually deleted.
Updated•2 years ago
|
Reporter | ||
Comment 19•2 years ago
|
||
Noice
Comment 20•2 years ago
|
||
These images are uploads from users when they are posting to forums to get support and in some cases there are valid reasons to be able to delete them. For example there are many spam posts in the forums and moderators need to be able to delete them.
I am adding Leo in this bug who will be the one working on it as I will not be available for the next couple of weeks.
Comment 21•2 years ago
|
||
Thanks Tasos for the information.
Hello Leo,
As Tasos mentioned, there might be valid reason to delete the images directly by moderators, would it be possible to only allow moderators to delete other users' images?
Thanks,
Frida
Assignee | ||
Comment 22•2 years ago
|
||
Thanks for the bug report.
This section of code is pretty old and a relic of having to support no-js attachment uploads.
I've removed it in this commit, and this is now deployed on staging for testing: https://github.com/mozilla/kitsune/commit/ac702c3f25de21826b24d0b0b0b426e0fb942983
Reporter | ||
Comment 23•2 years ago
|
||
Awesome, would this be elligible for a bounty? Thanks
Comment 24•2 years ago
|
||
Thanks Leo, can you please let us know or resolve the bug as fixed when the changes are deployed to production?
Regarding the bounty, support.mozilla.org is not included in the list of eligible sites, https://www.mozilla.org/en-US/security/bug-bounty/web-eligible-sites/, so the report might not be eligible for bounty award. I can discuss with the team if we can add you to our hall of fame list.
Thanks,
Frida
Reporter | ||
Comment 25•2 years ago
|
||
I see, Thanks
Assignee | ||
Comment 26•2 years ago
|
||
Deployed to prod this morning.
Updated•2 years ago
|
Comment 27•2 years ago
|
||
Thank you for reporting this. We discovered that support.mozilla.org is not on our list of "Core" sites, but we believe it should be so we have awarded a bounty as if it were. We'll update the site list soon.
Updated•2 years ago
|
Reporter | ||
Comment 28•2 years ago
|
||
Thank you. How could i claim the bounty?
Comment 29•2 years ago
|
||
Someone from our team will contact you soon regarding the bounty.
Thanks again for your report.
Regards,
Frida
Reporter | ||
Comment 30•2 years ago
|
||
Ahhh. Thanks
Comment 31•2 years ago
|
||
Quick question, how would you like to be mentioned in our HoF? https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/
Reporter | ||
Comment 32•2 years ago
|
||
Sure. My name is Brandon Roldan, and my twitter is https://twitter.com/tomorrowisnew_
Updated•2 years ago
|
Reporter | ||
Comment 33•2 years ago
|
||
Hello, any updates on the bounty? Its been more than a month now since i got it and i still dont have the bounty in my bank. The email is not responding either. Thanks
Comment 34•2 years ago
|
||
Hello Brandon,
It usually takes time for the bounty to be processed. Hopefully, you will receive the payment soon.
Thanks,
Frida
Description
•