TTS Bug Bounty: [IDOR] The authenticated user can restart website build or view build logs on any another Federalist account

2017-07-04T16:11:10
ID H1:245872
Type hackerone
Reporter sp1d3rs
Modified 2017-09-05T20:08:47

Description

We endorse sp1d3rs's summary! The PR fixing this ticket is here: https://github.com/18F/federalist/pull/1061 Thanks to the 18F team for the great experience, fast fix, and the bounty! The report details (i requested the limited disclosure due to sensitive info in the attachments):

Description

I found an Insecure Direct Object Reference vulnerability on the /v0/build/ and /v0/build/<siteid>/log API endpoints.

For example, when the user wants to restart the build, next request is sent to the endpoint: {"site":<siteid>,"branch":"master"} where siteid is numeric ID of the site. However, this endpoint does not check, do this site ID belongs to this user. So any user can restart the build of the site on any other user account.

Steps to reproduce

  1. Login to the Federalist with your test account (we can call it user1).
  2. Restart the build of some site which belongs to you.
  3. Catch the request to the http://localhost:1337/v0/build/ and change site parameter to the siteID, which was created on some other account (we can call it user2).
  4. Execute the request. It will be accepted and processed.
  5. Login as user2 and go to the builds page. You will notice that build was restarted by another user.

Suggested fix

Correct checking of user permissions on this endpoints should fix the issue.

References

Running Federalist locally