Users can login to suspended institutions via external auth under some circumstances
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Unassigned | ||
15.04 |
Fix Released
|
High
|
Unassigned | ||
15.10 |
Fix Released
|
High
|
Unassigned | ||
16.04 |
Fix Released
|
High
|
Unassigned |
Bug Description
The problem is this:
The code that checks if the user's authinstance is from a suspended institution, is in LiveUser->login(). This is the method used by the username/password login box.
But if you login with an auth method that doesn't use the login box, say SAML, XMLRPC, Shibboleth, you don't hit that check.
We need to move the check into the "ensure_
See also https:/
That bug report is public but I'll mark this as private as it mentions the attack vector
CVE References
Changed in mahara: | |
status: | Confirmed → In Progress |
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | In Progress → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To test:
1. Install Moodle and Mahara. Enable Mnet on both.
2. Create an institution in Mahara with an XMLRPC auth instance, using Moodle and the "They SSO in" setting.
3. Set up Moodle so that your users can roam over to Mahara via MNet.
4. Set the Mahara institution's expiration date to the past, and/or suspend the Mahara institution.
5. Log in to Moodle.
6. Roam over to Mahara.
Expected result: When you try to roam over to Mahara, you can't log in, because your institution is expired.
Actual result: You roam to Mahara with no problem.