Mahara

Stored XSS in user reports access lists, and shared tabs for user/group/institution

Bug #1447377 reported by Hugh Davenport on 2015-04-22

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	Critical	Hugh Davenport	Mahara 15.10.0
1.10	Fix Released	Critical	Unassigned	Mahara 1.10.4
1.9	Fix Released	Critical	Unassigned	Mahara 1.9.6
15.04	Fix Released	Critical	Unassigned	Mahara 15.04.1
15.10	Fix Released	Undecided	Unassigned

Bug Description

This one requires a malicious institution admin, but could still result in privilege escalation to full admin.

Steps to reproduce:
- As admin, create a new institution, and a new user with admin rights in that institution
- Log in as new institution admin, change name of institution to "<script>alert(1);</script>"
- Add some new users to the institution, their profile pages will automatically be shared with the institution
- If full admin runs a user report on that new user now, and views access list, they will see the XSS
- If a user shares a page with this institution, then views "Shared by me", then it will trigger
- If a group shares a page ..., it will trigger
- If a institution shares a page ..., it will trigger (can be a different institution, just have to be in same institution to be able to share with it (or it is searchable?)).

Mainly low risk, as doesn't gain privilege, but the full admin may view access list report of all users legitimately, so that makes it critical as privilege escalation is possible (walled gardens setups where lots of institution admins, and they aren't full admins).

Patch to come.

Cheers,

Hugh

CVE References

2017-1000144

Revision history for this message

Hugh Davenport (hugh-davenport) wrote on 2015-04-22:

bug-1447377.patch Edit (2.5 KiB, text/plain)

Patch added

Revision history for this message

Robert Lyon (robertl-9) wrote on 2015-04-28:

Hi Hugh,

I've added a patch to gerrit for this:
https://reviews.mahara.org/#/c/4698/

It's based on your patch - but with a slight change - see comment in gerrit

Changed in mahara:
status:	Triaged → In Progress
milestone:	none → 15.10.0

Revision history for this message

Jinelle Foley-Barnes (jinelleb) wrote on 2015-04-30:

Hi,

I've been trying to test this, I think I may be going wrong.

- As admin, create a new institution, and a new user with admin rights in that institution
- Log in as new institution admin, change name of institution to "<script>alert(1);</script>"

I couldn't do step 2 because when I logged in as new institution admin I couldn't access institutions because I'm not a site admin. However I did see that I got the confirmation message to say that I had become the Institution admin of the "testing" institution. I just couldn't access it.

Let me know where I’m going wrong.

Thanks,
Jinelle

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-05-28: A change has been merged

Reviewed: https://reviews.mahara.org/4778
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/fff46e5493c0cb17ce03defccc7a6b738615a4b1
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit fff46e5493c0cb17ce03defccc7a6b738615a4b1
Author: Hugh Davenport <email address hidden>
Date: Tue Apr 28 12:38:56 2015 +1200

Escape institution_display_name correctly (Bug #1447377)

Institution names were not being escaped properly in the
accesslist.

This patch escapes them properly as well as clearing the
compiled cache for the templates where this problem occurs.

Change-Id: I2e675af0b84a3a7106e0245a5faa6ee2095a7e06
Signed-off-by: Robert Lyon <email address hidden>

Aaron Wells (u-aaronw) on 2015-05-28

Changed in mahara:
status:	In Progress → Fix Committed
information type:	Private Security → Public Security

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-05-28:

Reviewed: https://reviews.mahara.org/4777
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/66efb9a70fd2e1ace257252147d5b5754658239d
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.10_STABLE

commit 66efb9a70fd2e1ace257252147d5b5754658239d
Author: Hugh Davenport <email address hidden>
Date: Tue Apr 28 12:38:56 2015 +1200

Escape institution_display_name correctly (Bug #1447377)

Institution names were not being escaped properly in the
accesslist.

This patch escapes them properly as well as clearing the
compiled cache for the templates where this problem occurs.

Change-Id: I2e675af0b84a3a7106e0245a5faa6ee2095a7e06
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-06-03:

Reviewed: https://reviews.mahara.org/4810
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/721bddaa3413c67ab816f1e02940c6c31d5682fc
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 721bddaa3413c67ab816f1e02940c6c31d5682fc
Author: Aaron Wells <email address hidden>
Date: Fri May 29 10:43:03 2015 +1200

Add log description to lib/db/upgrade.php block

Bug 1447377

Change-Id: Id0f64a6dc883f31de69595a05a321e2ec7ac1b09

Aaron Wells (u-aaronw) on 2015-10-23

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

bug-1447377.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.