Watchlist lets you watch and receive notifications about pages you don't have view access to

Bug #1429647 reported by Aaron Wells on 2015-03-08
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Unassigned
1.10
Medium
Unassigned
1.8
Medium
Unassigned
1.9
Medium
Unassigned
15.04
Medium
Unassigned
15.10
Medium
Unassigned

Bug Description

In analyzing watchlist bug 1429505 (pages stay on your watchlist even if you lose access to them) I noticed a couple of things in the code:

1. You apparently still can receive watchlist notifications about pages on your watchlist which you don't have access to.

2. There are no access control checks in togglewatchlist.json.php, so it is apparently possible to add a page to your watchlist even if you don't have access to it.

Together, these bugs mean that a user could watch private pages, and receive notifications about changes to those pages. While these notifications would not contain the actual page content, they would contain the title of the page and the names of blocks and/or artefacts changed in the page.

CVE References

Aaron Wells (u-aaronw) wrote :

This bug report is based mostly on looking at the code. I still have to actually run some tests to determine whether the code behaves as I think it does...

information type: Public → Private Security
Robert Lyon (robertl-9) wrote :

I've added a patch for this to doublecheck the view id

To test:

1) make a page and share it with your friends

2) log in as a user who is a friend and watch the page

3) look in db for the entry in usr_watchlist_view - make note of the view id

4) log in as a user that is not a friend - go to any view page they can see and manually manipulate things
- if using firebug on the HTML tab view the <head> and scroll down until you see

<script type="application/javascript">
<link href="http://mahara-devel/theme/raw/static/style/tinymceskin.css?v=3651" type="text/css" rel="stylesheet">

Expand the script one and you should see

 var viewid =

Click the 'edit this HTML' button in firebug and change the id to the one in step 3 and click the 'edit this HHTML' button again

5) now click the 'Add page to watchlist' link in mahara

If all done right you will see the page has been added to the usr_watchlist_view table if the patch is not in place.
If the patch is present then you should see an error message on screen

Robert Lyon (robertl-9) wrote :
Jinelle Foley-Barnes (jinelleb) wrote :

Hi Rob,

Thanks for the test instructions.

Cheers,
Jinelle

Aaron, how can someone remove an item from somebody else's watchlist? Is that a new feature?

Aaron Wells (u-aaronw) wrote :

Kristina,

Sorry, I misspoke. I meant to say "it means that if you add a page to your watchlist, and the page owner then revokes your view access to that page".

Since I can't edit Launchpad comments, I'll just repost it with the correction, so it'll be clearer:

So, on further investigation, the watchlist activity has code in it which checks that each person has permission to view the item, and removes it from their watchlist if they don't.

This is a little strange, because it means that if you add a page to your watchlist and the page owner then removes your view access to the page, it remains on your watchlist until they make a change to the page's contents. It also doesn't support the new feedback-watchlist notifications... because I didn't add code for that when I was writing it. :)

We should probably just make a cron task to clear away invalid watchlist items.

But this patch is still good, to prevent people from manipulating their watchlist in order to find out page titles and such.

Robert Lyon (robertl-9) on 2015-04-16
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
tags: added: behat behat-needed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers