** Changed in: mahara (Debian)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1211758
Title:
Arbitrary image download
Status in Mahara ePortfolio:
Fix Released
Status in Mahara 1.5 series:
Fix Released
Status in Mahara 1.6 series:
Fix Released
Status in Mahara 1.7 series:
Fix Released
Status in “mahara” package in Debian:
Fix Released
Bug description:
I've discovered a few vulnerabilities within Mahara that allow any
user to view private images + blog posts of other users. Disclosure: I
know nothing about Mahara and have only used it for the last 2-3
hours, please forgive me if I am wrong in my assumptions about the
architecture/functionality.
#1: Upload permissions are not properly checked when creating a journal
When creating a journal entry a user can attach any arbitrary object by ID.
From what I can tell every object (file, journal, picture etc) are the same
object (artifact?), or at least all have a unique ID. This means that if use
the file browser to select a file that you can view, then modify the ID (using
Chromes developer tools or in-flight using Burp) to an ID of a folder, journal
entry or image then that object will be attached to the journal entry.
Here is a screenshot of the issue: http://i.imgur.com/Lwpm808.png
In that image Picture1.png, maxresdefaults.jpg and "tok123tok123's Journal"
belong to other users (and give permission errors if you attempt to view them).
#2: Object permissions and types are not correctly checked when embedding
content within a page
It is possible to embed private objects belonging to other users within a
page. In this screenshot http://i.imgur.com/SShOalI.png I have created a page
and attached it to a collection. None of the objects in those blocks belong to
the current user (and hence are un-viewable), and all are private (the journal
entry to the right is unpublished).
You can also select an image file to be embedded as a HTML file (under
the 'Some HTML' heading) and get the file contents. You can select a
folder, but this causes a 500 error.
When editing a block and selecting an upload the page sends a
instconf_artefactid_selected[ID] parameter to the server. Simply
manipulating the ID in the brackets and the value will let you embed
any object.
#3: Export function allows arbitrary file download
Using the technique above you can get a 1024x1024 'thumbnail' of any users
arbitrary file. Simply use the export function on a page like the one above
where other users images are embedded. Make sure the embedded images max-size
is set to 1024 and it will appear within /files/extra.
I know these are not serious issues, but I'm sure there are other
permission related issues to be found. I concentrated mainly on the
journal and collection features.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1211758/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : [email protected]
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
