2014-10-25 02:39:45 |
Robert Lyon |
bug |
|
|
added bug |
2014-10-28 01:28:11 |
Aaron Wells |
description |
If a group creates a page that only the group can access - but then add a secret url to the page, a person not in the group can access the page via it's normal url.
Eg
1) group A admin creates a page and shares it only with the group, the page has the id=8
2) group A admin create a secret url for the page, eg /view/view.php?t=nFlSjpVuUCawH6TxP7A3
3) User 1, who is not in any groups goes to /view/view.php?id=8
Expected result - they can't access the page as they don't know the secret url
Actual result - they can access the page
This is reported here: https://mahara.org/interaction/forum/topic.php?id=6520 |
If a user (or group) creates a private page and gives it a secret URL, and then the page is accessed by the secret URL on a public computer and the user doesn't close their browser window afterwards, other users will also be able to access that page by its normal url or its secret URL.
This can defy user expectations of access rights.
Eg
1. group A admin creates a page and shares it only with the group, the page has the id=8
2. group A admin create a secret url for the page, eg /view/view.php?t=nFlSjpVuUCawH6TxP7A3
3. User 1, who is not in the group, goes to the page by its secret URL. (While using a computer at the library.)
4. User 1 then logs out.
5. User 2 comes along and goes to /view/view.php?id=8
Expected result - User 2 can't access the page as they don't know the secret url
Actual result - User 2 can access the page
This is reported here: https://mahara.org/interaction/forum/topic.php?id=6520 |
|
2014-10-28 01:28:41 |
Aaron Wells |
description |
If a user (or group) creates a private page and gives it a secret URL, and then the page is accessed by the secret URL on a public computer and the user doesn't close their browser window afterwards, other users will also be able to access that page by its normal url or its secret URL.
This can defy user expectations of access rights.
Eg
1. group A admin creates a page and shares it only with the group, the page has the id=8
2. group A admin create a secret url for the page, eg /view/view.php?t=nFlSjpVuUCawH6TxP7A3
3. User 1, who is not in the group, goes to the page by its secret URL. (While using a computer at the library.)
4. User 1 then logs out.
5. User 2 comes along and goes to /view/view.php?id=8
Expected result - User 2 can't access the page as they don't know the secret url
Actual result - User 2 can access the page
This is reported here: https://mahara.org/interaction/forum/topic.php?id=6520 |
If a user (or group) creates a private page and gives it a secret URL, and then the page is accessed by the secret URL on a public computer and the user doesn't close their browser window afterwards, other users will also be able to access that page by its normal url or its secret URL.
This can defy user expectations of access rights.
Eg
1. group A admin creates a page and shares it only with the group, the page has the id=8
2. group A admin create a secret url for the page, eg /view/view.php?t=nFlSjpVuUCawH6TxP7A3
3. User 1, who is not in the group, goes to the page by its secret URL. (While using a computer at the library.)
4. User 1 then logs out, but doesn't close their browser window.
5. User 2 comes to the computer and goes to /view/view.php?id=8
Expected result - User 2 can't access the page as they don't know the secret url
Actual result - User 2 can access the page
This is reported here: https://mahara.org/interaction/forum/topic.php?id=6520 |
|
2014-10-28 12:44:14 |
Aaron Wells |
mahara: importance |
Critical |
Low |
|
2014-10-28 12:44:19 |
Aaron Wells |
information type |
Private Security |
Public Security |
|
2014-10-28 12:44:46 |
Aaron Wells |
summary |
Can illegially access pages that contain a secret url by normal url |
Secret URLs used on public computers |
|
2014-10-28 12:48:31 |
Aaron Wells |
summary |
Secret URLs used on public computers |
Secret URLs used on public computers leak access to later users of the same browser session |
|
2014-10-28 12:48:43 |
Aaron Wells |
summary |
Secret URLs used on public computers leak access to later users of the same browser session |
Secret URLs used on public computers leak access to later users of the same browser |
|
2014-10-29 03:49:13 |
Kristina Hoeppner |
mahara: status |
Confirmed |
Fix Committed |
|
2014-10-29 03:49:21 |
Kristina Hoeppner |
mahara: assignee |
|
Aaron Wells (u-aaronw) |
|
2014-10-29 03:49:29 |
Kristina Hoeppner |
mahara: milestone |
1.10.1 |
15.04.0 |
|
2014-11-24 00:13:21 |
Kristina Hoeppner |
cve linked |
|
2014-8691 |
|
2014-11-25 00:12:39 |
Robert Lyon |
nominated for series |
|
mahara/1.10 |
|
2014-11-25 00:12:39 |
Robert Lyon |
bug task added |
|
mahara/1.10 |
|
2014-11-25 00:12:39 |
Robert Lyon |
nominated for series |
|
mahara/1.8 |
|
2014-11-25 00:12:39 |
Robert Lyon |
bug task added |
|
mahara/1.8 |
|
2014-11-25 00:12:39 |
Robert Lyon |
nominated for series |
|
mahara/1.9 |
|
2014-11-25 00:12:39 |
Robert Lyon |
bug task added |
|
mahara/1.9 |
|
2014-11-25 00:12:49 |
Robert Lyon |
mahara/1.10: milestone |
|
1.10.1 |
|
2014-11-25 00:12:52 |
Robert Lyon |
mahara/1.8: milestone |
|
1.8.6 |
|
2014-11-25 00:12:54 |
Robert Lyon |
mahara/1.9: milestone |
|
1.9.4 |
|
2014-11-25 00:13:01 |
Robert Lyon |
mahara/1.10: status |
New |
In Progress |
|
2014-11-25 00:13:03 |
Robert Lyon |
mahara/1.8: status |
New |
In Progress |
|
2014-11-25 00:13:05 |
Robert Lyon |
mahara/1.9: status |
New |
In Progress |
|
2014-11-25 00:19:32 |
Robert Lyon |
mahara/1.8: status |
In Progress |
Fix Committed |
|
2014-11-25 00:19:34 |
Robert Lyon |
mahara/1.10: status |
In Progress |
Fix Committed |
|
2014-11-25 00:19:37 |
Robert Lyon |
mahara/1.9: status |
In Progress |
Fix Committed |
|
2014-11-25 00:27:20 |
Robert Lyon |
mahara/1.10: importance |
Undecided |
Low |
|
2014-11-25 00:27:22 |
Robert Lyon |
mahara/1.8: importance |
Undecided |
Low |
|
2014-11-25 00:27:24 |
Robert Lyon |
mahara/1.9: importance |
Undecided |
Low |
|
2014-11-25 20:40:03 |
Robert Lyon |
mahara/1.8: milestone |
|
1.8.6 |
|
2014-11-25 22:04:24 |
Son Nguyen |
mahara/1.10: status |
Fix Committed |
Fix Released |
|
2014-11-25 22:09:55 |
Robert Lyon |
mahara/1.8: status |
Fix Committed |
Fix Released |
|
2014-11-25 22:58:33 |
Robert Lyon |
mahara/1.9: status |
Fix Committed |
Fix Released |
|
2015-04-17 02:03:20 |
Robert Lyon |
mahara: status |
Fix Committed |
Fix Released |
|