Stored XSS in user reports access lists, and shared tabs for user/group/institution

Bug #1447377 reported by Hugh Davenport on 2015-04-22
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Critical
Hugh Davenport
1.10
Critical
Unassigned
1.9
Critical
Unassigned
15.04
Critical
Unassigned
15.10
Undecided
Unassigned

Bug Description

This one requires a malicious institution admin, but could still result in privilege escalation to full admin.

Steps to reproduce:
- As admin, create a new institution, and a new user with admin rights in that institution
- Log in as new institution admin, change name of institution to "<script>alert(1);</script>"
- Add some new users to the institution, their profile pages will automatically be shared with the institution
- If full admin runs a user report on that new user now, and views access list, they will see the XSS
- If a user shares a page with this institution, then views "Shared by me", then it will trigger
- If a group shares a page ..., it will trigger
- If a institution shares a page ..., it will trigger (can be a different institution, just have to be in same institution to be able to share with it (or it is searchable?)).

Mainly low risk, as doesn't gain privilege, but the full admin may view access list report of all users legitimately, so that makes it critical as privilege escalation is possible (walled gardens setups where lots of institution admins, and they aren't full admins).

Patch to come.

Cheers,

Hugh

CVE References

Hugh Davenport (hugh-davenport) wrote :

Patch added

Robert Lyon (robertl-9) wrote :

Hi Hugh,

I've added a patch to gerrit for this:
https://reviews.mahara.org/#/c/4698/

It's based on your patch - but with a slight change - see comment in gerrit

Changed in mahara:
status: Triaged → In Progress
milestone: none → 15.10.0
Jinelle Foley-Barnes (jinelleb) wrote :

Hi,

I've been trying to test this, I think I may be going wrong.

 - As admin, create a new institution, and a new user with admin rights in that institution
- Log in as new institution admin, change name of institution to "<script>alert(1);</script>"

I couldn't do step 2 because when I logged in as new institution admin I couldn't access institutions because I'm not a site admin. However I did see that I got the confirmation message to say that I had become the Institution admin of the "testing" institution. I just couldn't access it.

Let me know where I’m going wrong.

Thanks,
Jinelle

Reviewed: https://reviews.mahara.org/4778
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/fff46e5493c0cb17ce03defccc7a6b738615a4b1
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit fff46e5493c0cb17ce03defccc7a6b738615a4b1
Author: Hugh Davenport <email address hidden>
Date: Tue Apr 28 12:38:56 2015 +1200

Escape institution_display_name correctly (Bug #1447377)

Institution names were not being escaped properly in the
accesslist.

This patch escapes them properly as well as clearing the
compiled cache for the templates where this problem occurs.

Change-Id: I2e675af0b84a3a7106e0245a5faa6ee2095a7e06
Signed-off-by: Robert Lyon <email address hidden>

Aaron Wells (u-aaronw) on 2015-05-28
Changed in mahara:
status: In Progress → Fix Committed
information type: Private Security → Public Security
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4777
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/66efb9a70fd2e1ace257252147d5b5754658239d
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.10_STABLE

commit 66efb9a70fd2e1ace257252147d5b5754658239d
Author: Hugh Davenport <email address hidden>
Date: Tue Apr 28 12:38:56 2015 +1200

Escape institution_display_name correctly (Bug #1447377)

Institution names were not being escaped properly in the
accesslist.

This patch escapes them properly as well as clearing the
compiled cache for the templates where this problem occurs.

Change-Id: I2e675af0b84a3a7106e0245a5faa6ee2095a7e06
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4810
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/721bddaa3413c67ab816f1e02940c6c31d5682fc
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 721bddaa3413c67ab816f1e02940c6c31d5682fc
Author: Aaron Wells <email address hidden>
Date: Fri May 29 10:43:03 2015 +1200

Add log description to lib/db/upgrade.php block

Bug 1447377

Change-Id: Id0f64a6dc883f31de69595a05a321e2ec7ac1b09

Aaron Wells (u-aaronw) on 2015-10-23
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers