Reviewed: https://reviews.mahara.org/4778 Committed: https://git.nzoss.org.nz/mahara/mahara/commit/fff46e5493c0cb17ce03defccc7a6b738615a4b1 Submitter: Robert Lyon ([email protected]) Branch: 15.04_STABLE
commit fff46e5493c0cb17ce03defccc7a6b738615a4b1 Author: Hugh Davenport <[email protected]> Date: Tue Apr 28 12:38:56 2015 +1200 Escape institution_display_name correctly (Bug #1447377) Institution names were not being escaped properly in the accesslist. This patch escapes them properly as well as clearing the compiled cache for the templates where this problem occurs. Change-Id: I2e675af0b84a3a7106e0245a5faa6ee2095a7e06 Signed-off-by: Robert Lyon <[email protected]> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1447377 Title: Stored XSS in user reports access lists, and shared tabs for user/group/institution Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: In Progress Status in Mahara 1.9 series: Fix Committed Status in Mahara 15.04 series: Fix Committed Bug description: This one requires a malicious institution admin, but could still result in privilege escalation to full admin. Steps to reproduce: - As admin, create a new institution, and a new user with admin rights in that institution - Log in as new institution admin, change name of institution to "<script>alert(1);</script>" - Add some new users to the institution, their profile pages will automatically be shared with the institution - If full admin runs a user report on that new user now, and views access list, they will see the XSS - If a user shares a page with this institution, then views "Shared by me", then it will trigger - If a group shares a page ..., it will trigger - If a institution shares a page ..., it will trigger (can be a different institution, just have to be in same institution to be able to share with it (or it is searchable?)). Mainly low risk, as doesn't gain privilege, but the full admin may view access list report of all users legitimately, so that makes it critical as privilege escalation is possible (walled gardens setups where lots of institution admins, and they aren't full admins). Patch to come. Cheers, Hugh To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1447377/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
