Not checking artefact permissions before exporting
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Unassigned | ||
1.10 |
Won't Fix
|
Medium
|
Unassigned | ||
1.9 |
Won't Fix
|
Medium
|
Unassigned | ||
15.04 |
Fix Released
|
Medium
|
Unassigned | ||
15.10 |
Fix Released
|
Medium
|
Unassigned | ||
16.04 |
Fix Released
|
Medium
|
Unassigned | ||
16.10 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
In https:/
#3: Export function allows arbitrary file download
Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra.
There is an obvious fix for this issue, of checking $USER->
Since fixing the embedding of other users' data mitigates the risk from this issue and was easier to accomplish, I've released that fix and spun this one off into a separate bug to fix when we're able.
CVE References
Changed in mahara: | |
milestone: | 1.8.1 → 1.9.0 |
Changed in mahara: | |
milestone: | 1.9.0 → 1.9.1 |
no longer affects: | mahara/1.6 |
no longer affects: | mahara/1.7 |
tags: | added: no-behat-needed |
no longer affects: | mahara/1.8 |
information type: | Private Security → Public Security |
Changed in mahara: | |
milestone: | 16.04.1 → none |
status: | Fix Committed → Fix Released |
From my investigations it looks the problem is only related to the HTML export and when blocks have artefacts attached that are not owned by the user.