Users can delete submitted page through URL

Bug #1425306 reported by Yuliya Bozhko on 2015-02-24
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Yuliya Bozhko
1.10
Medium
Robert Lyon
1.8
Medium
Robert Lyon
1.9
Medium
Robert Lyon

Bug Description

To reproduce:

- Create a page
- Submit it to a group
- Check that there is no 'Delete' button on 'Pages' web-page for this page
- Find out page ID (through page view URL)
- Go to YOURSITE/view/delete.php?id=XXX where XXX is page ID
- See that you can easily delete a page

CVE References

Reviewed: https://reviews.mahara.org/4320
Committed: http://gitorious.org/mahara/mahara/commit/ab152be2eb77f2c07a6cbe48ef650802132d28d2
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit ab152be2eb77f2c07a6cbe48ef650802132d28d2
Author: Yuliya Bozhko <email address hidden>
Date: Wed Feb 25 11:44:54 2015 +1300

Make sure submitted page cannot be deleted via URL (Bug #1425306)

Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9
Signed-off-by: Yuliya Bozhko <email address hidden>

Robert Lyon (robertl-9) on 2015-02-24
Changed in mahara:
status: Confirmed → Fix Committed
milestone: none → 15.04.0
importance: Undecided → Medium
Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/4322

Mahara Bot (dev-mahara) wrote :

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/4323

Aaron Wells (u-aaronw) on 2015-03-03
information type: Public → Public Security

Reviewed: https://reviews.mahara.org/4321
Committed: http://gitorious.org/mahara/mahara/commit/7319e7442d431894460db9e9f904a5ed92c00568
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit 7319e7442d431894460db9e9f904a5ed92c00568
Author: Yuliya Bozhko <email address hidden>
Date: Wed Feb 25 11:44:54 2015 +1300

Make sure submitted page cannot be deleted via URL (Bug #1425306)

Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9
Signed-off-by: Yuliya Bozhko <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4322
Committed: http://gitorious.org/mahara/mahara/commit/371490ae0714fce3a09bca46b73a5ee3c4415150
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.9_STABLE

commit 371490ae0714fce3a09bca46b73a5ee3c4415150
Author: Yuliya Bozhko <email address hidden>
Date: Wed Feb 25 11:44:54 2015 +1300

Make sure submitted page cannot be deleted via URL (Bug #1425306)

Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9
Signed-off-by: Yuliya Bozhko <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4323
Committed: http://gitorious.org/mahara/mahara/commit/555f20f2e9fe8406e62117e56f8eeb3ef5478c92
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE

commit 555f20f2e9fe8406e62117e56f8eeb3ef5478c92
Author: Yuliya Bozhko <email address hidden>
Date: Wed Feb 25 11:44:54 2015 +1300

Make sure submitted page cannot be deleted via URL (Bug #1425306)

Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9
Signed-off-by: Yuliya Bozhko <email address hidden>

Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers