Mahara

Group search list shows too many results from page 2 onwards

Bug #1922226 reported by Andreas Schenkel on 2021-04-01

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	High	Gold	Mahara 22.04.0
20.10	Fix Released	High	Unassigned	Mahara 20.10.5
21.04	Fix Released	High	Unassigned	Mahara 21.04.4
21.10	Fix Released	High	Unassigned	Mahara 21.10.2
22.04	Fix Released	High	Gold	Mahara 22.04.0

Bug Description

We have multiple isolated institutions in mahara. When we search for a group, then on the first of two pages the results are shown correctly.
Only groups of our institution are visible.
We can see, that there are more results on a second page.

To access the second page there is a link at the bottom. When we click the link, ALL group of all institutions are shown.
mahara 20.10 (since 19.04 up to 20.10)

See original description

Tags:

CVE References

2022-29585

Revision history for this message

Andreas Schenkel (andreas-schenkel) wrote on 2021-04-01:

search_page_1.png Edit (221.3 KiB, image/png)

Revision history for this message

Andreas Schenkel (andreas-schenkel) wrote on 2021-04-01:

search_page_2.png Edit (265.9 KiB, image/png)

click in page 2 shows this group search result

Kristina Hoeppner (kris-hoeppner) on 2021-04-28

description:	updated
tags:	added: isolated-institutions

Revision history for this message

Andreas Schenkel (andreas-schenkel) wrote on 2022-01-11:

We will try to fix this bug.

Changed in mahara:
assignee:	nobody → Andreas Schenkel (andreas-schenkel)

Revision history for this message

Andreas Schenkel (andreas-schenkel) wrote on 2022-02-23:

patch.diff Edit (1.6 KiB, text/plain)

This patch solves the problem with pagination of grouplists when isolated institutions is activated.
On second page now only the groups of the own institution are shown if the user searches for all groups.
Patch is based on mahara 20.10.4.

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2022-02-23:

Hi Andreas and Gold,

Thank you for the patch, Andreas.

Gold, can you please add the patch to Gerrit and see how it works with the ones you have their for isolated institutions?

Thank you
Kristina

Changed in mahara:
assignee:	Andreas Schenkel (andreas-schenkel) → Gold (gold.catalyst)

Revision history for this message

Robert Lyon (robertl-9) wrote on 2022-04-05:

https://reviews.mahara.org/c/mahara/+/12457

Robert Lyon (robertl-9) on 2022-04-11

Changed in mahara:
milestone:	none → 22.04.0
status:	New → In Progress
importance:	Undecided → High

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2022-04-22 (last edit on 2022-04-26):

For the forum post in the security forum:

Group search page shows too many results when isolated institutions is turned on

Vulnerability type: Insecure permissions
Attack type: Remote
Impact: Information disclosure

Affected components: The group search, accessible via Main menu → Engage → Groups when isolated institutions is turned on for the site.

Attack vectors: If the site turned on isolated institutions and has more than 10 groups on the site, using the paginator on the 'Groups' page, someone can view the title of all groups on the site from page 2 of the results list onwards rather than only seeing groups in their own institution.

Description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using 'Isolated institutions' is vulnerable if groups are used. They are all shown from page 2 of the group results list rather than only showing groups for the institution in which the viewer is a member of.

Reported by: Can't disclose
Bug report: https://bugs.launchpad.net/mahara/+bug/1922226
CVE reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29585

summary:

- groups search list shows to much groups on second page
+ Group search list shows too many results from page 2 onwards

Gold (gold.catalyst) on 2022-04-26

information type:

Private Security → Public Security

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2022-04-26: A patch has been submitted for review

Patch for "21.04_DEV" branch: https://reviews.mahara.org/c/mahara/+/12691

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2022-04-26: A change has been merged

Reviewed: https://reviews.mahara.org/c/mahara/+/12691
Committed: https://git.mahara.org/mahara/mahara/commit/e058d0c1bc705a5cfc26d55718764599bbe95a3a
Submitter: "Robert Lyon <email address hidden>"
Branch: 21.04_DEV

commit e058d0c1bc705a5cfc26d55718764599bbe95a3a
Author: Andreas Schenkel <email address hidden>
Date: Mon Feb 28 14:18:30 2022 +1300

Security Bug 1922226: Groups search list after first page

For sites with isolated institutions enabled searches for Groups returns
a suitably filtered list of results. After the first page though, all
results are shown regardless of institution.

Change-Id: Ic3809589573ef5a828beaee16fdf729dacfcddf1
Signed-off-by: Gold <email address hidden>
(cherry picked from commit 15bfe15b3c9c0c8beb21b93d363860a985290d29)

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

patch.diff Edit

Add patch

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.