Administrators masquerading as other users can jump to remote XMLRPC applications as that other user

Bug #884223 reported by Andrew Nicols
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Andrew Nicols
1.3
Fix Released
High
François Marier

Bug Description

With MNet set up, if a user logs in as another user, and jumps to an XMLRPC target, they're logged in to that target as the child user in the login as.

This really shouldn't be the case. If a two application are joined but have different administrators, then this would potentially allow for privilege escalation.

If the local application administrator knows of an account which is an administrator on a remote application, then they could log in as that user on the local application, and jump to the remote application thereby escalating their privileges.

CVE References

Revision history for this message
Andrew Nicols (dobedobedoh) wrote :

Definitely affects master

Changed in mahara:
importance: Undecided → High
Revision history for this message
Andrew Nicols (dobedobedoh) wrote :

I've submitted https://reviews.mahara.org/811 with a patch for this

Changed in mahara:
status: New → In Progress
assignee: nobody → Andrew Nicols (dobedobedoh)
milestone: none → 1.4.1
Revision history for this message
Andrew Nicols (dobedobedoh) wrote :

After chatting to David Mudrak, I've changed my mind on this one.
I'm updating my patch to completely prevent jumps.

The reasoning behind this is that
* users may be confused when jumping as a masqueraded user and not arriving as that user
* the session could potentially get into a weird state and have a knock-on effect with portfolio export etc.

Revision history for this message
Andrew Nicols (dobedobedoh) wrote :
Revision history for this message
Hugh Davenport (hugh-davenport) wrote :

Yeh, this is annoying. We should also make a similar bug in moodle and any other application that jumps into mahara?

Revision history for this message
Andrew Nicols (dobedobedoh) wrote :

An updated patch with the correct spelling of bug ;)

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

Andrew, you fixed the spelling, but went back to jumping as the parent user.
I think I'd rather live with the bad spelling :)

Revision history for this message
Andrew Nicols (dobedobedoh) wrote :

No idea how that happened. Fixed now and double checked!

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Changed in mahara:
status: In Progress → Fix Committed
Changed in mahara:
status: Fix Committed → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.