See other's profile images one is not meant to

Bug #1600069 reported by Robert Lyon on 2016-07-08
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Robert Lyon
15.04
Medium
Unassigned
15.10
Medium
Unassigned
16.04
Medium
Unassigned

Bug Description

As part of the follow on from this bug:
https://bugs.launchpad.net/mahara/+bug/1211758

I notice that it is possible to see profile images of other users that one isn't meant to.

Demo:
Login as User A and upload two profile icons - set one to be default
make note of the artefact id's

Login as User B then go to the url:

thumb.php?type=profileiconbyid&maxwidth=150&id=[id from above]

You should only be allowed to see the icon that is set to the default icon but you can see both

CVE References

Robert Lyon (robertl-9) wrote :

If the non default icon is in a view we need to pass the viewid to the thumb.php file so we can check that as well.

So now:

thumb.php?type=profileiconbyid&maxwidth=150&id=5 will fail if '5' is a profile icon that is not default

but

thumb.php?type=profileiconbyid&maxwidth=150&id=5&view=2 will pass if that icon is in a view one can see

Robert Lyon (robertl-9) on 2016-07-11
Changed in mahara:
status: In Progress → Fix Committed
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers