** Changed in: mahara/1.3
Status: In Progress => Fix Released
** Visibility changed to: Public
--
You received this bug notification because you are a member of Mahara
Core, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/798128
Title:
All private messages were accessible by wrong users
Status in Mahara ePortfolio:
Fix Released
Status in Mahara 1.3 series:
Fix Released
Bug description:
When "Reply to message"-functionality is used, the user who should not
be able to view the PM discussion can view the whole discussion. The
problem is, that at reply view 'replyto'-parameter is not handled
properly. If it is changed to any existing message, the whole
discussion thread is shown - no matter who the user is. Below is
example of URL which is used for replies. With small guess-game the
attacker can read all private messages from the system.
http://ec2-50-17-80-248.compute-1.amazonaws.com/user/sendmessage.php?id=2&replyto=6&returnto=inbox
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/798128/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-core
Post to : [email protected]
Unsubscribe : https://launchpad.net/~mahara-core
More help : https://help.launchpad.net/ListHelp
