Able to see name of another account holder's folder

Bug #1952808 reported by Robert Lyon
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Unassigned
20.10
Fix Released
High
Unassigned
21.04
Fix Released
High
Unassigned
21.10
Fix Released
High
Unassigned
22.04
Fix Released
High
Unassigned

Bug Description

Problem when passing in folder id to a 'Files' page - we can see the name of a folder that we don't own

Testing steps:

1) Create a site with at least two accounts, personA and personB
2) Log in as personA and go to Create -> Files (artefact/file/index.php) page
3) Create a folder, say 'SubFolder', hover mouse over folder to find the ID of the folder, eg '&folder=123'. Make a note of the value and then click into that folder
4) Upload a file to the folder
5) Reload the page and you should be in the home directory of the Files area
6) Change the URL and add to the end the folder id (eg artefact/file/index.php?folder=123) and reload - you should now see that the page loads with you in the folder you created
7) Log out

8) Log in as personB and go to Create -> Files (artefact/file/index.php) page
9) Change the URL and add to the end the folder id (eg artefact/file/index.php?folder=123) and reload

Expected: As you are not the folder owner you should not go to that folder

Actual: The name of the other person's folder displays on the screen (plus errors in dev mode)

As this is an escalation of privilege I'll make it a security bug

summary: - Able to see name of another user's folder
+ Able to see name of another account holder's folder
Changed in mahara:
status: New → In Progress
importance: Undecided → High
milestone: none → 22.04.0
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

For the security forum announcement (missing CVE number at present):

Able to see name of another account holder's folder
https://bugs.launchpad.net/mahara/+bug/1952808

Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure

Affected components: Folder names in the 'Files' area in Mahara.

Suggested description: In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before 21.10.1, the names of folders in the 'Files' area could be seen by a person not owning the folders. Files and file names themselves were not affected and were not disclosed.

Reported by: Robert Lyon
Bug report: https://bugs.launchpad.net/mahara/+bug/1952808
CVE reference: TBC

Robert Lyon (robertl-9)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.