A site admin can access Mahara 'root' user and break the site

Bug #1817221 reported by Robert Lyon
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Robert Lyon
17.10
Fix Released
High
Unassigned
18.04
Fix Released
High
Unassigned
18.10
Fix Released
High
Unassigned
19.04
Fix Released
High
Robert Lyon

Bug Description

A site admin can break the site by suspending the 'root' user

To replicate:

1) Login in as a site admin
2) Go to Administration -> Users -> User search (admin/users/search.php)
3) Click on the 'username' link of any user
4) Change the url and make the id= part equal to 0 (eg admin/users/edit.php?id=0)

You now can see information for the hidden 'root' user

5) Suspend the user
6) Logout
7) Login again and you get something like

Mahara: Site unavailable
Something in the way you're interacting with Mahara is causing an error.
Details if any, follow:

Your account has been suspended as of 2019-02-22 10:56:34.<br />The reason for your suspension is: Bad mojo

Things to fix:
1) Not allow anyone see the the mahara 'root' user via the admin/users/edit.php page
2) Make sure systems that suspend a user, eg rejecting consent to privacy statement can't suspend 'root' user

CVE References

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Note for the forum announcement:

Disable logins for everyone when root user is suspended

Severity: Medium
Vulnerability type: Insecure permissions

An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. A site administrator can suspend the system user (root), causing all users to be locked out from the system.

Reported by Robert Lyon (Catalyst)
Bug report: https://bugs.launchpad.net/mahara/+bug/1817221
CVE reference: CVE-2019-9708

Link CVE number to https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9708

Revision history for this message
Robert Lyon (robertl-9) wrote :
Robert Lyon (robertl-9)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.