A site admin can access Mahara 'root' user and break the site

Bug #1817221 reported by Robert Lyon on 2019-02-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Robert Lyon
Robert Lyon

Bug Description

A site admin can break the site by suspending the 'root' user

To replicate:

1) Login in as a site admin
2) Go to Administration -> Users -> User search (admin/users/search.php)
3) Click on the 'username' link of any user
4) Change the url and make the id= part equal to 0 (eg admin/users/edit.php?id=0)

You now can see information for the hidden 'root' user

5) Suspend the user
6) Logout
7) Login again and you get something like

Mahara: Site unavailable
Something in the way you're interacting with Mahara is causing an error.
Details if any, follow:

Your account has been suspended as of 2019-02-22 10:56:34.<br />The reason for your suspension is: Bad mojo

Things to fix:
1) Not allow anyone see the the mahara 'root' user via the admin/users/edit.php page
2) Make sure systems that suspend a user, eg rejecting consent to privacy statement can't suspend 'root' user

CVE References

Note for the forum announcement:

Disable logins for everyone when root user is suspended

Severity: Medium
Vulnerability type: Insecure permissions

An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. A site administrator can suspend the system user (root), causing all users to be locked out from the system.

Reported by Robert Lyon (Catalyst)
Bug report: https://bugs.launchpad.net/mahara/+bug/1817221
CVE reference: CVE-2019-9708

Link CVE number to https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9708

Robert Lyon (robertl-9) on 2019-04-30
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers