Don't display personal information beyond what is necessary in "Edit access" Ajax response

Bug #1863043 reported by Kristina Hoeppner
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Unassigned
18.10
Fix Released
High
Unassigned
19.04
Fix Released
High
Unassigned
19.10
Fix Released
High
Unassigned

Bug Description

When you are on view/access.php?id=[page ID] and open the network connections (you will need to reload the page to see traffic come through), you can see more information about an account holder than you should:

1. Open the "Network" tab.
2. Click on acces.json.php.
3. Show the "Response" information.

Username and other personal information is disclosed that should not be displayed is shown and thus can mean that information about other people can be leaked.

When we compose a message in the inbox, that same sort of disclosure does not happen. So, sendmessage.json.php handles things in a better way.

We should only disclose as much information in the "Response" as we do in the select menu, i.e. use the normal display name function as some people may not want to share their first and last name. Things will be different depending on their role.

CVE References

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

It would be good to check the other places that use the Select2 name drop-down and double-check that they are safe.

Revision history for this message
Robert Lyon (robertl-9) wrote :
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

To be posted in the security forum:

Information disclosure on the "Edit access" page

Severity: High
Vulnerability type: Information disclosure

In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, certain personal information is discoverable inspecting network responses on the 'Edit access' screen when sharing portfolios.

Reported by: Kristina Hoeppner and Robert Lyon (Catalyst IT)
Bug report: https://bugs.launchpad.net/mahara/+bug/1863043
CVE reference: CVE-2020-9282

Link CVE number above to https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-9282

Robert Lyon (robertl-9)
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/10759
Committed: https://git.mahara.org/mahara/mahara/commit/75a96408975052001eee7caa711fe8c005d34c85
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 75a96408975052001eee7caa711fe8c005d34c85
Author: Lisa Seeto <email address hidden>
Date: Fri Feb 14 14:12:43 2020 +1300

Bug 1857935: Display people from own
institution(s) first when searching for them during portfolio sharing

- added in check when searching users to display users in institutions first
- added in select2js datasource formating to get user dropdown categories
- limit the type of data returned in ajax calls to limit data risks (Bug 1863043)
- refactor json and tpl
- refactor sql, show institution display name

Change-Id: I478a4d9534bf1de820ca59d60ca7768685e36a96
Signed-off-by: Lisa Seeto <email address hidden>

Changed in mahara:
status: Fix Committed → Fix Released
no longer affects: mahara/20.04
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.