Secret URLs used on public computers leak access to later users of the same browser
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Low
|
Aaron Wells | ||
1.10 |
Fix Released
|
Low
|
Unassigned | ||
1.8 |
Fix Released
|
Low
|
Unassigned | ||
1.9 |
Fix Released
|
Low
|
Unassigned |
Bug Description
If a user (or group) creates a private page and gives it a secret URL, and then the page is accessed by the secret URL on a public computer and the user doesn't close their browser window afterwards, other users will also be able to access that page by its normal url or its secret URL.
This can defy user expectations of access rights.
Eg
1. group A admin creates a page and shares it only with the group, the page has the id=8
2. group A admin create a secret url for the page, eg /view/view.
3. User 1, who is not in the group, goes to the page by its secret URL. (While using a computer at the library.)
4. User 1 then logs out, but doesn't close their browser window.
5. User 2 comes to the computer and goes to /view/view.php?id=8
Expected result - User 2 can't access the page as they don't know the secret url
Actual result - User 2 can access the page
This is reported here: https:/
CVE References
Changed in mahara: | |
status: | Confirmed → Fix Committed |
assignee: | nobody → Aaron Wells (u-aaronw) |
milestone: | 1.10.1 → 15.04.0 |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Further investigation into this problem:
What needs to happen is a user needs to access the secret url so that a cookie is set in the browser.
Then another user using the same browser session can access the page via the normal url.
This can happen in a school type situation where different people use the same machine.
To fix: have the secreturl cookies be killed on logout rather than closing of browser.