User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:126.96.36.199) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 Build Identifier: https://addons.mozilla.org/en-US/developers/previews/264283/ click on delete one previews tamper data change name="data[Preview][Delete] to new id name="data[Preview][Delete] submit sorry but i have delete https://addons.mozilla.org/en-US/firefox/addon/3456/ i have delete Reproducible: Always
i have mail to firstname.lastname@example.org the file i have delete this should be checked carefully because maybe developers can delete addons or upload addons that dont own
upload and delete seems protected (i mean check if have right to upload/delete ) later i will check if can upload preview or can add owner do some one else I have create Demo account not delete anything :)
Group: websites-security → client-services-security
Component: Other → Public Pages
Product: Websites → addons.mozilla.org
QA Contact: other → web-ui
Can you clarify the bug? The title implies that any developer can delete another user's addon. Comment #2 seems to imply otherwise. My interpretation from the comments is that upload/delete for addons checks ownership/permissions. Currently you are looking into ways upload previews as another user and whether it is possible modify an addon's owner list. Is this correct?
1. developers can delete previews of addons that dont own addons.mozilla.org 2. i told may same bug developer can delete addons 3. I have run some test and seems secure developer can NOT delete/upload or add new owner for addons that do NOT own
Summary: developers can delete previews of addons that dont own addons.mozilla.org → developers can delete previews of addons that don't own addons.mozilla.org
Thanks for the clarification. I have reproduced the bug. STR. 1. https://addons.mozilla.org/en-US/developers/previews/xxxxx/ where xxxxx is an addon you have owner permissions on 2. Add a preview image if you haven't already 3. Click Delete Preview 4. Click Update Previews 5. Modify the POST field name="data[Preview][Delete][target_id] to you desired target_id 6. If you supplied a valid id, you should see Your previews have been updated successfully. Preview target_id has been deleted successfully. Please note that some changes may take several hours to appear in all areas of the website. The problem appears to be in previews_controller.php http://viewvc.svn.mozilla.org/vc/addons/trunk/site/app/controllers/previews_controller.php?revision=51431&view=markup L210 checks that the current user can modify the current addon before calling _delete() on L217 _delete() also performs an addon ownership check. The code doesn't check that the current user can modify the supplied preview id. Suggested remediation Check that the supplied preview_id is a preview for the current addon
Status: UNCONFIRMED → NEW
Ever confirmed: true
@David yes that the right thing to do check if preview belong the current addon Sorry for my misspelling I was tired and write fast I had bad internet connection
I've disabled the script completely. This is all old code and was replaced by the new developer tools.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Comment on attachment 499423 [details] Web Bounty Awarded + 500 [paid] Recommend non-qual: Deleting preview causes minimal damage to users.
Comment on attachment 499423 [details] Web Bounty Awarded + 500 [paid] Not too bad an attack (can restore from backups) but annoying and can reduce trust in the site.
Keywords: sec-moderate, wsec-authorization
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.