Elastic search: Search results are not restricted for aretfacts on pages shared with group

Bug #1840201 reported by Lisa Seeto
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Robert Lyon
18.10
Fix Released
High
Unassigned
19.04
Fix Released
High
Unassigned
19.10
Fix Released
High
Unassigned
20.04
Fix Released
High
Robert Lyon

Bug Description

A user can create a page with media artefacts on it and share it with a group. The user can specify which users in that group have access, i.e "Everyone in group", "Member" and "Admin". When a user selects to share the page with "Member" or "Admin" all members of the group can view via the media category in Elastic Search page and can see the artefact. The preview image for an Image block for this issue is displaying as a broken link in FireFox and not displaying at all in Chrome.

Have Elastic Search set up and able to search.
1. Create a group that has admin and members.
2. Log in as a user (doesn't have to be group member) and create a page with an Image block.
3. Share the page with the group and choose "Admin" in dropdown
4. Log in as an Member of the group and go to Elastic search with no search words (should return everything you have access to see.
5. Select Media tab and view
Expected results:
No artefacts from pages that are not shared with User are returned as results.
Actual results:
User can see artefacts from the page they do not have permission to access.

Mahara: 19.10dev
OS: Ubunt 18.04.2
DB: Postgres
Browser: Firefox 68.01, Chrome 75.0.3770.142

Tags: search privacy

CVE References

Revision history for this message
Lisa Seeto (lisaseeto) wrote :
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Marking as high as it's to do with permissions and thus privacy.

Changed in mahara:
importance: Undecided → High
status: New → Confirmed
milestone: none → 19.10.0
tags: added: privacy
Changed in mahara:
milestone: 19.10.0 → 19.10.1
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Please check if also a problem in 19.04.

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

This will need to be tested with isolated institutions turned on as well.

information type: Public → Private Security
Revision history for this message
Robert Lyon (robertl-9) wrote :
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Information for the security forum post:

Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Affected: Elasticsearch implementation in Mahara

In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, file metadata information is disclosed to group members in the Elasticsearch result list despite them not having access to to that information any more.

Reference: https://bugs.launchpad.net/mahara/+bug/1840201
Credit: Lisa Seeto and Robert Lyon (Catalyst IT)

CVE: CVE-2020-9386
(link CVE number to: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-9386 )

Robert Lyon (robertl-9)
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "19.04_STABLE" branch: https://reviews.mahara.org/10819

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/10819
Committed: https://git.mahara.org/mahara/mahara/commit/41c210f3b6a66e520d7ea6b460b3615d7b839f8d
Submitter: Robert Lyon (<email address hidden>)
Branch: 19.04_STABLE

commit 41c210f3b6a66e520d7ea6b460b3615d7b839f8d
Author: Robert Lyon <email address hidden>
Date: Wed Mar 11 09:46:28 2020 +1300

Bug 1866913: Add parts of missing function from master that are needed

Fix for bug 1840201 in 19.04

Change-Id: I20f41cb9557f3fa24a48e7e05a185ab1f72e5658
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "18.10_STABLE" branch: https://reviews.mahara.org/10838

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/10838
Committed: https://git.mahara.org/mahara/mahara/commit/42332f7c547376781e539c84340347921bfcc546
Submitter: Robert Lyon (<email address hidden>)
Branch: 18.10_STABLE

commit 42332f7c547376781e539c84340347921bfcc546
Author: Robert Lyon <email address hidden>
Date: Wed Mar 11 09:46:28 2020 +1300

Bug 1866913: Add parts of missing function from master that are needed

Fix for bug 1840201 in 19.04

Change-Id: I20f41cb9557f3fa24a48e7e05a185ab1f72e5658
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 41c210f3b6a66e520d7ea6b460b3615d7b839f8d)

Robert Lyon (robertl-9)
Changed in mahara:
milestone: 20.04.0 → none
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers