XSS with institution full name on user profile page

Bug #1381868 reported by Aaron Wells on 2014-10-16
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mahara
Medium
Yuliya Bozhko
1.10
Medium
Yuliya Bozhko
1.7
Medium
Unassigned
1.8
Medium
Yuliya Bozhko
1.9
Medium
Yuliya Bozhko
15.04
Medium
Yuliya Bozhko

Bug Description

Yuliya reported this one to me via IRC. The institution display name is not filtered for HTML on the user profile page. Consequently, site admins and institutional admins can put Javascript into it.

This is a medium-level security threat, mainly of concern to multi-tenanted Mahara institutions where the security of the "institutional admin" users may not be fully vetted by the site administrators.

Tags: xss Edit Tag help

CVE References

Aaron Wells (u-aaronw) wrote :

To replicate:

1. Create an institution
2. For the institution display name, enter "Display name <script>alert('test');</script>"
3. Add a user to that institution
4. Visit the user's profile page

Expected result: Below their profile icon it should say "Member of Display name <script>alert('test');</script>" (with the script tags turned into HTML entities)

Actual result: There will be a Javascript popup that says "test". And below the user's profile icon it will instead say "Member of Display name" (with the script tag not visible because it has been rendered as HTML)

Aaron Wells (u-aaronw) wrote :

Patch for master (1.11dev): https://reviews.mahara.org/#/c/3822/

Aaron Wells (u-aaronw) on 2014-10-21
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers