Require re-entering RSS feed password when you change the URL

Bug #1172096 reported by Aaron Wells
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Medium
Unassigned
1.5
Fix Released
Medium
Unassigned
1.6
Fix Released
Medium
Unassigned
1.7
Fix Released
Medium
Unassigned

Bug Description

If we implement a fix for https://bugs.launchpad.net/mahara/+bug/1016253 (encrypt RSS feed usernames & passwords) there's still a potential attack vector in the URL to the RSS feed.

Attack:
1a. Masquerade as the user
1b. OR get the user to give you a copy of the Page containing the RSS feed block
2. Enter the settings for the RSS feed block (or its copy)
3. Change the URL of the RSS feed to point at your own server

Result:
When Mahara next refreshes the RSS feed, it will send the plaintext username and password to your server, where you can easily capture it.

Fix:
Require a user to re-enter the password when they change the URL

Tags: security rss

CVE References

Revision history for this message
Aaron Wells (u-aaronw) wrote :

I'm only tagging this one "medium" because the attack is only possible if you have masquerade access, or if the user gives you a copy of the Page.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

It has been pointed out to me that in some cases an RSS feed's URL itself can contain sensitive information.

I guess the safest thing to do, would be to make an RSS block "write-only", which is to say that you enter the data when initially creating the block, and then it is stored in the DB and not displayed back in the browser directly again.

On the other hand, perhaps it should be the user's responsibility not to share a potentially sensitive RSS block? We could add a "make this write-only" config option to RSS blocks, but that seems like overkill because sensitive RSS feeds in blocks are actually kinda rare. Perhaps just a warning when making a copy of a page, that all the page's contents will become accessible to the person who's getting a copy of it?

Aaron Wells (u-aaronw)
summary: - Require re-entering RSS feed username and password when you change the
- URL
+ Require re-entering RSS feed password when you change the URL
Revision history for this message
Aaron Wells (u-aaronw) wrote :
Aaron Wells (u-aaronw)
information type: Private Security → Public Security
Changed in mahara:
status: Triaged → Fix Committed
Aaron Wells (u-aaronw)
Changed in mahara:
status: Fix Committed → Fix Released
Revision history for this message
Aaron Wells (u-aaronw) wrote :
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers