See other's profile images one is not meant to
Bug #1600069 reported by
Robert Lyon
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Robert Lyon | ||
15.04 |
Fix Released
|
Medium
|
Unassigned | ||
15.10 |
Fix Released
|
Medium
|
Unassigned | ||
16.04 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
As part of the follow on from this bug:
https:/
I notice that it is possible to see profile images of other users that one isn't meant to.
Demo:
Login as User A and upload two profile icons - set one to be default
make note of the artefact id's
Login as User B then go to the url:
thumb.php?
You should only be allowed to see the icon that is set to the default icon but you can see both
CVE References
Changed in mahara: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
If the non default icon is in a view we need to pass the viewid to the thumb.php file so we can check that as well.
So now:
thumb.php? type=profileico nbyid&maxwidth= 150&id= 5 will fail if '5' is a profile icon that is not default
but
thumb.php? type=profileico nbyid&maxwidth= 150&id= 5&view= 2 will pass if that icon is in a view one can see