Heya Aaron, I would quite like to be listed on the security contributors page, could you link to my blog at http://tomforb.es ?
Thanks! -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1211758 Title: Arbitrary image download Status in Mahara ePortfolio: Fix Released Status in Mahara 1.5 series: Fix Released Status in Mahara 1.6 series: Fix Released Status in Mahara 1.7 series: Fix Released Status in “mahara” package in Debian: Confirmed Bug description: I've discovered a few vulnerabilities within Mahara that allow any user to view private images + blog posts of other users. Disclosure: I know nothing about Mahara and have only used it for the last 2-3 hours, please forgive me if I am wrong in my assumptions about the architecture/functionality. #1: Upload permissions are not properly checked when creating a journal When creating a journal entry a user can attach any arbitrary object by ID. From what I can tell every object (file, journal, picture etc) are the same object (artifact?), or at least all have a unique ID. This means that if use the file browser to select a file that you can view, then modify the ID (using Chromes developer tools or in-flight using Burp) to an ID of a folder, journal entry or image then that object will be attached to the journal entry. Here is a screenshot of the issue: http://i.imgur.com/Lwpm808.png In that image Picture1.png, maxresdefaults.jpg and "tok123tok123's Journal" belong to other users (and give permission errors if you attempt to view them). #2: Object permissions and types are not correctly checked when embedding content within a page It is possible to embed private objects belonging to other users within a page. In this screenshot http://i.imgur.com/SShOalI.png I have created a page and attached it to a collection. None of the objects in those blocks belong to the current user (and hence are un-viewable), and all are private (the journal entry to the right is unpublished). You can also select an image file to be embedded as a HTML file (under the 'Some HTML' heading) and get the file contents. You can select a folder, but this causes a 500 error. When editing a block and selecting an upload the page sends a instconf_artefactid_selected[ID] parameter to the server. Simply manipulating the ID in the brackets and the value will let you embed any object. #3: Export function allows arbitrary file download Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra. I know these are not serious issues, but I'm sure there are other permission related issues to be found. I concentrated mainly on the journal and collection features. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1211758/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
