Closed Bug 1754966 Opened 2 years ago Closed 2 years ago

Idor resulting to image deletion in https://support.mozilla.org/

Categories

(support.mozilla.org :: General, defect)

Product:
support.mozilla.org
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: roldanbrandon62, Assigned: lmcardle)

References

(
URL
)

Details

(Keywords: sec-moderate, wsec-authorization, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Hi. The source code of the platform powering sumo is available in github, https://github.com/mozilla/kitsune. While auditing the code, i found a potential idor that allows any user to potentially delete all the images in the site.
In the function reply, in questions/views.py, if we provided a post parameter delete_images, and if we provide an id of a image in delete_image post parameter, the image with the specified id will be deleted without permission checks.

The line of code is

    if "delete_images" in request.POST:
        for image_id in request.POST.getlist("delete_image"):
            ImageAttachment.objects.get(pk=image_id).delete()
Flags: sec-bounty?
Component: Other → General
Product: Websites → support.mozilla.org

Hello,

Thank you for your report and bringing this issue to our attention.

I checked the code and I agree that the delete action is not scoped to a particular post or user. I am curious whether you were able to exploit this issue in the application.

Thanks,
Frida

Hi. I havent tested it in the real site yet, because i may cause disturbance. If you give me a permission, i could try it. Thanks

Thank you for that, I'll wait confirmation from the engineering team on how to move forward.

Hi. I see that kitsune has a staging site. I will try it on there, i assume it will not cause any harm on the real site

I think so too, I was about to suggest using the staging site but wanted to confirm with the team first. I will let you update you when I get the confirmation. Thanks.

Alright, thanks

Hello, I have confirmed with the security team that you can test on the staging environment, https://support.allizom.org/.

Thanks,
Frida

Hi. Thanks. I can confirm that the bug exists.

can you please add more details about the steps to reproduce and the security impact of the bug? Thanks.

Hi. Sure.
Steps To reproduce

  1. Have two accounts, we will call these two users as user a and user b
  2. As user a, make a new question, in the question, make a new reply and add an image in the reply
  3. Take note of the id of the uploaded image
  4. As user b, reply on the question too, then intercept the request
  5. In the body of the request, add &delete_images=true&delete_image=60680, replace 60680 with the id of the uploaded image of user a.
  6. You will see that the image is deleted directly in the cdn.

Impact:
From what i know, with this bug, an attacker can delete all images in the website that uses the ImageAttachment class

POC:
https://youtu.be/cvJtaBL3pGQ

I wasn't able to reproduce the issue, when I send the below request, I get 500 internal server error and I noticed that you also received the same error in your video:

POST /en-US/questions/<question_id>/reply HTTP/1.1
Host: support.allizom.org

csrfmiddlewaretoken=<token>&content=test+reply+2+%2B+delete&delete_images=true&delete_image=<image_id>

the image is not deleted after I sent the request, I think you might have deleted the image from that comment when you intercepted the request. Can you please try again with a different comment and image?

I am wondering if you can also reproduce this issue on any image from any question, for example can you try to delete the image ID from my question? the ID is 60682.

Thanks,
Frida

Please note that the team are currently handling an incident on the site, so it might be better if we continue the investigation tomorrow.

Hi. Yeah, it is kinda wierd. Sometimes i cant get it to work and im still figuring out why. But, im pretty sure the idor exists

Hi. It seems like the image in your question in https://support.allizom.org/en-US/questions/1207214 got deleted. So ig you got it working

I guess it take a while for the images to be fully deleted

I just tried again to delete another image, I received internal server error, I will leave it for a while to see if the image would be deleted.

Hello Tasos,

I am wondering if you had a chance to take a look at this report? The issue is that it might be possible for someone to delete other people's images when posting replies to a question. I am also curious what is the use case of deleting images when posting a reply.

Thanks,
Frida

Flags: needinfo?(tasos)

confirming that the image I deleted using the IDOR in comment 16 was actually deleted.

Status: UNCONFIRMED → NEW
Type: task → defect
Ever confirmed: true

Noice

These images are uploads from users when they are posting to forums to get support and in some cases there are valid reasons to be able to delete them. For example there are many spam posts in the forums and moderators need to be able to delete them.

I am adding Leo in this bug who will be the one working on it as I will not be available for the next couple of weeks.

Assignee: nobody → lmcardle
Flags: needinfo?(tasos)

Thanks Tasos for the information.

Hello Leo,

As Tasos mentioned, there might be valid reason to delete the images directly by moderators, would it be possible to only allow moderators to delete other users' images?

Thanks,
Frida

Thanks for the bug report.

This section of code is pretty old and a relic of having to support no-js attachment uploads.

I've removed it in this commit, and this is now deployed on staging for testing: https://github.com/mozilla/kitsune/commit/ac702c3f25de21826b24d0b0b0b426e0fb942983

Status: NEW → ASSIGNED

Awesome, would this be elligible for a bounty? Thanks

Thanks Leo, can you please let us know or resolve the bug as fixed when the changes are deployed to production?

Regarding the bounty, support.mozilla.org is not included in the list of eligible sites, https://www.mozilla.org/en-US/security/bug-bounty/web-eligible-sites/, so the report might not be eligible for bounty award. I can discuss with the team if we can add you to our hall of fame list.

Thanks,
Frida

I see, Thanks

Deployed to prod this morning.

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty+

Thank you for reporting this. We discovered that support.mozilla.org is not on our list of "Core" sites, but we believe it should be so we have awarded a bounty as if it were. We'll update the site list soon.

Thank you. How could i claim the bounty?

Someone from our team will contact you soon regarding the bounty.

Thanks again for your report.

Regards,
Frida

Ahhh. Thanks

Quick question, how would you like to be mentioned in our HoF? https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/

Sure. My name is Brandon Roldan, and my twitter is https://twitter.com/tomorrowisnew_

Group: websites-security

Hello, any updates on the bounty? Its been more than a month now since i got it and i still dont have the bounty in my bank. The email is not responding either. Thanks

Hello Brandon,

It usually takes time for the bounty to be processed. Hopefully, you will receive the payment soon.

Thanks,
Frida

You need to log in before you can comment on or make changes to this bug.