We endorse sp1d3rs's summary! The PR fixing this ticket is here: https://github.com/18F/federalist/pull/1061 Thanks to the 18F team for the great experience, fast fix, and the bounty! The report details (i requested the limited disclosure due to sensitive info in the attachments):
I found an Insecure Direct Object Reference vulnerability on the
/v0/build/<siteid>/log API endpoints.
For example, when the user wants to restart the build, next request is sent to the endpoint:
where siteid is numeric ID of the site.
However, this endpoint does not check, do this site ID belongs to this user. So any user can restart the build of the site on any other user account.
siteparameter to the siteID, which was created on some other account (we can call it
user2and go to the builds page. You will notice that build was restarted by another user.
Correct checking of user permissions on this endpoints should fix the issue.