XSS with institution full name on user profile page
Bug #1381868 reported by
Aaron Wells
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Yuliya Bozhko | ||
1.10 |
Fix Released
|
Medium
|
Yuliya Bozhko | ||
1.7 |
Fix Released
|
Medium
|
Unassigned | ||
1.8 |
Fix Released
|
Medium
|
Yuliya Bozhko | ||
1.9 |
Fix Released
|
Medium
|
Yuliya Bozhko | ||
15.04 |
Fix Released
|
Medium
|
Yuliya Bozhko |
Bug Description
Yuliya reported this one to me via IRC. The institution display name is not filtered for HTML on the user profile page. Consequently, site admins and institutional admins can put Javascript into it.
This is a medium-level security threat, mainly of concern to multi-tenanted Mahara institutions where the security of the "institutional admin" users may not be fully vetted by the site administrators.
CVE References
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
To replicate:
1. Create an institution alert(' test'); </script> "
2. For the institution display name, enter "Display name <script>
3. Add a user to that institution
4. Visit the user's profile page
Expected result: Below their profile icon it should say "Member of Display name <script> alert(' test'); </script> " (with the script tags turned into HTML entities)
Actual result: There will be a Javascript popup that says "test". And below the user's profile icon it will instead say "Member of Display name" (with the script tag not visible because it has been rendered as HTML)