Comment 1 for bug 1476925

Revision history for this message
Aaron Wells (u-aaronw) wrote :

We had a discussion about whether there would be any additional security risk in making this action accessible to logged-out users. I think it would be safe. Here's my analysis:

1. The "section" argument is used as a portion of a filename, but it's limited to specific directories and filtered to the characters [-_.A-Za-z0-9], and the filename will have ".php" added to the end, so that's pretty safe.

2. You can use a parameterized string to generate an arbitrary JSON response, (i.e. https://vegas.wgtn.cat-it.co.nz/mahara/htdocs/lang/get_string.php?section=mahara&string=deletespecific&args[]=%3Cscript%20type=%22text/javascript%22%3Ealert%28%27hey!%27%29%3C/script%3E ), but the response header has "Content-Type: application/json", so the browser won't parse any HTML or Javascript in the response if you hit it directly. So that's pretty safe.

So in the end, it seems like the biggest risk here, is that you could use this string to find out the value of every language string in the site. The only scenario I can think of where that would cause a problem, is if a site is using custom language strings, and putting sensitive data into them. Like "Welcome to Wells University! Remember, everyone's default password is "password123"!".

But that seems like a really bad idea anyway, so I don't think it's a scenario we need to worry about too much.