developers can delete previews of addons that don't own addons.mozilla.org

RESOLVED FIXED

Status

addons.mozilla.org Graveyard
Public Pages
--
critical
RESOLVED FIXED
8 years ago
a year ago

People

(Reporter: Ervis Tusha, Unassigned)

Tracking

(Blocks: 1 bug, {sec-moderate, wsec-authorization})

unspecified
sec-moderate, wsec-authorization
Bug Flags:
sec-bounty +

Details

(Whiteboard: [infrasec:access][ws:moderate], URL)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13
Build Identifier: 

https://addons.mozilla.org/en-US/developers/previews/264283/

click on delete one previews 

tamper data 
change
name="data[Preview][Delete][99999]

to new id
name="data[Preview][Delete][11111]
submit


sorry but i have delete 
https://addons.mozilla.org/en-US/firefox/addon/3456/
i have delete 

Reproducible: Always
(Reporter)

Comment 1

8 years ago
i have mail to security@mozilla.org the file i have delete 

this should be checked carefully because maybe developers can delete addons or upload addons that dont own
(Reporter)

Comment 2

8 years ago
upload and delete seems protected (i mean check if have right to upload/delete )

later i will check if can upload preview or can add owner do some one else 


I have create Demo account not delete anything :)
Group: websites-security → client-services-security
Component: Other → Public Pages
Product: Websites → addons.mozilla.org
QA Contact: other → web-ui

Comment 3

8 years ago
Can you clarify the bug? The title implies that any developer can delete another user's addon. Comment #2 seems to imply otherwise.

My interpretation from the comments is that upload/delete for addons checks ownership/permissions. Currently you are looking into ways upload previews as another user and whether it is possible modify an addon's owner list. Is this correct?
(Reporter)

Comment 4

8 years ago
1. developers can delete previews of addons that dont own addons.mozilla.org 
2. i told may same bug developer can delete addons 
3. I have run some test and seems secure developer can NOT delete/upload or add new owner for addons that do NOT own

Updated

8 years ago
Summary: developers can delete previews of addons that dont own addons.mozilla.org → developers can delete previews of addons that don't own addons.mozilla.org

Comment 5

8 years ago
Thanks for the clarification. I have reproduced the bug. 

STR.
1. https://addons.mozilla.org/en-US/developers/previews/xxxxx/ where xxxxx is an addon you have owner permissions on
2. Add a preview image if you haven't already
3. Click Delete Preview
4. Click Update Previews
5. Modify the POST field 
name="data[Preview][Delete][target_id]
to you desired target_id
6. If you supplied a valid id, you should see
Your previews have been updated successfully.
Preview target_id has been deleted successfully.
Please note that some changes may take several hours to appear in all areas of the website.


The problem appears to be in previews_controller.php

http://viewvc.svn.mozilla.org/vc/addons/trunk/site/app/controllers/previews_controller.php?revision=51431&view=markup

L210 checks that the current user can modify the current addon before calling _delete() on L217

_delete() also performs an addon ownership check. The code doesn't check that the current user can modify the supplied preview id. 


Suggested remediation
Check that the supplied preview_id is a preview for the current addon
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [infrasec:access][ws:moderate]
(Reporter)

Comment 7

8 years ago
@David yes that the right thing to do check if preview belong the current addon 

Sorry for my misspelling  I was tired and write fast I had bad internet connection
I've disabled the script completely.  This is all old code and was replaced by the new developer tools.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Comment on attachment 499423 [details]
Web Bounty Awarded + 500 [paid]

Recommend non-qual: Deleting preview causes minimal damage to users.
Comment on attachment 499423 [details]
Web Bounty Awarded + 500 [paid]

Not too bad an attack (can restore from backups) but annoying and can reduce trust in the site.

Updated

5 years ago
Blocks: 835438
Flags: sec-bounty+
Keywords: sec-moderate, wsec-authorization
(Assignee)

Updated

2 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
Group: client-services-security
You need to log in before you can comment on or make changes to this bug.