Able to see name of another account holder's folder
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Unassigned | ||
20.10 |
Fix Released
|
High
|
Unassigned | ||
21.04 |
Fix Released
|
High
|
Unassigned | ||
21.10 |
Fix Released
|
High
|
Unassigned | ||
22.04 |
Fix Released
|
High
|
Unassigned |
Bug Description
Problem when passing in folder id to a 'Files' page - we can see the name of a folder that we don't own
Testing steps:
1) Create a site with at least two accounts, personA and personB
2) Log in as personA and go to Create -> Files (artefact/
3) Create a folder, say 'SubFolder', hover mouse over folder to find the ID of the folder, eg '&folder=123'. Make a note of the value and then click into that folder
4) Upload a file to the folder
5) Reload the page and you should be in the home directory of the Files area
6) Change the URL and add to the end the folder id (eg artefact/
7) Log out
8) Log in as personB and go to Create -> Files (artefact/
9) Change the URL and add to the end the folder id (eg artefact/
Expected: As you are not the folder owner you should not go to that folder
Actual: The name of the other person's folder displays on the screen (plus errors in dev mode)
As this is an escalation of privilege I'll make it a security bug
summary: |
- Able to see name of another user's folder + Able to see name of another account holder's folder |
Changed in mahara: | |
status: | New → In Progress |
importance: | Undecided → High |
milestone: | none → 22.04.0 |
information type: | Private Security → Public Security |
For the security forum announcement (missing CVE number at present):
Able to see name of another account holder's folder /bugs.launchpad .net/mahara/ +bug/1952808
https:/
Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Affected components: Folder names in the 'Files' area in Mahara.
Suggested description: In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before 21.10.1, the names of folders in the 'Files' area could be seen by a person not owning the folders. Files and file names themselves were not affected and were not disclosed.
Reported by: Robert Lyon /bugs.launchpad .net/mahara/ +bug/1952808
Bug report: https:/
CVE reference: TBC