Mahara

Require re-entering RSS feed password when you change the URL

Bug #1172096 reported by Aaron Wells on 2013-04-24

258

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	Medium	Unassigned
1.5	Fix Released	Medium	Unassigned	Mahara 1.5.10
1.6	Fix Released	Medium	Unassigned	Mahara 1.6.5
1.7	Fix Released	Medium	Unassigned	Mahara 1.7.1

Bug Description

If we implement a fix for https://bugs.launchpad.net/mahara/+bug/1016253 (encrypt RSS feed usernames & passwords) there's still a potential attack vector in the URL to the RSS feed.

Attack:
1a. Masquerade as the user
1b. OR get the user to give you a copy of the Page containing the RSS feed block
2. Enter the settings for the RSS feed block (or its copy)
3. Change the URL of the RSS feed to point at your own server

Result:
When Mahara next refreshes the RSS feed, it will send the plaintext username and password to your server, where you can easily capture it.

Fix:
Require a user to re-enter the password when they change the URL

Tags:

CVE References

2013-7413

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2013-04-24:

I'm only tagging this one "medium" because the attack is only possible if you have masquerade access, or if the user gives you a copy of the Page.

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2013-04-24:

It has been pointed out to me that in some cases an RSS feed's URL itself can contain sensitive information.

I guess the safest thing to do, would be to make an RSS block "write-only", which is to say that you enter the data when initially creating the block, and then it is stored in the DB and not displayed back in the browser directly again.

On the other hand, perhaps it should be the user's responsibility not to share a potentially sensitive RSS block? We could add a "make this write-only" config option to RSS blocks, but that seems like overkill because sensitive RSS feeds in blocks are actually kinda rare. Perhaps just a warning when making a copy of a page, that all the page's contents will become accessible to the person who's getting a copy of it?

Aaron Wells (u-aaronw) on 2013-04-29

summary:

- Require re-entering RSS feed username and password when you change the
- URL
+ Require re-entering RSS feed password when you change the URL

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2013-04-29:

https://reviews.mahara.org/2097

Aaron Wells (u-aaronw) on 2013-05-02

information type:	Private Security → Public Security
Changed in mahara:
status:	Triaged → Fix Committed

Aaron Wells (u-aaronw) on 2013-05-03

Changed in mahara:
status:	Fix Committed → Fix Released

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2013-05-03:

backported:

1.7: https://reviews.mahara.org/2114
1.6: https://reviews.mahara.org/2115
1.5: https://reviews.mahara.org/2116

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.