developers can delete previews of addons that don't own


Status Graveyard
Public Pages
8 years ago
a year ago


(Reporter: Ervis Tusha, Unassigned)


(Blocks: 1 bug, {sec-moderate, wsec-authorization})

sec-moderate, wsec-authorization
Bug Flags:
sec-bounty +


(Whiteboard: [infrasec:access][ws:moderate], URL)



8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13
Build Identifier:

click on delete one previews 

tamper data 

to new id

sorry but i have delete
i have delete 

Reproducible: Always

Comment 1

8 years ago
i have mail to the file i have delete 

this should be checked carefully because maybe developers can delete addons or upload addons that dont own

Comment 2

8 years ago
upload and delete seems protected (i mean check if have right to upload/delete )

later i will check if can upload preview or can add owner do some one else 

I have create Demo account not delete anything :)
Group: websites-security → client-services-security
Component: Other → Public Pages
Product: Websites →
QA Contact: other → web-ui

Comment 3

8 years ago
Can you clarify the bug? The title implies that any developer can delete another user's addon. Comment #2 seems to imply otherwise.

My interpretation from the comments is that upload/delete for addons checks ownership/permissions. Currently you are looking into ways upload previews as another user and whether it is possible modify an addon's owner list. Is this correct?

Comment 4

8 years ago
1. developers can delete previews of addons that dont own 
2. i told may same bug developer can delete addons 
3. I have run some test and seems secure developer can NOT delete/upload or add new owner for addons that do NOT own


8 years ago
Summary: developers can delete previews of addons that dont own → developers can delete previews of addons that don't own

Comment 5

8 years ago
Thanks for the clarification. I have reproduced the bug. 

1. where xxxxx is an addon you have owner permissions on
2. Add a preview image if you haven't already
3. Click Delete Preview
4. Click Update Previews
5. Modify the POST field 
to you desired target_id
6. If you supplied a valid id, you should see
Your previews have been updated successfully.
Preview target_id has been deleted successfully.
Please note that some changes may take several hours to appear in all areas of the website.

The problem appears to be in previews_controller.php

L210 checks that the current user can modify the current addon before calling _delete() on L217

_delete() also performs an addon ownership check. The code doesn't check that the current user can modify the supplied preview id. 

Suggested remediation
Check that the supplied preview_id is a preview for the current addon
Ever confirmed: true
Whiteboard: [infrasec:access][ws:moderate]

Comment 7

8 years ago
@David yes that the right thing to do check if preview belong the current addon 

Sorry for my misspelling  I was tired and write fast I had bad internet connection
I've disabled the script completely.  This is all old code and was replaced by the new developer tools.
Last Resolved: 7 years ago
Resolution: --- → FIXED
Comment on attachment 499423 [details]
Web Bounty Awarded + 500 [paid]

Recommend non-qual: Deleting preview causes minimal damage to users.
Comment on attachment 499423 [details]
Web Bounty Awarded + 500 [paid]

Not too bad an attack (can restore from backups) but annoying and can reduce trust in the site.


5 years ago
Blocks: 835438
Flags: sec-bounty+
Keywords: sec-moderate, wsec-authorization


2 years ago
Product: → Graveyard
Group: client-services-security
You need to log in before you can comment on or make changes to this bug.