Private group, site, or institution portfolios can be accessed by the URL without logging in
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Critical
|
Doris Tam | ||
21.04 |
Fix Released
|
Critical
|
Doris Tam | ||
21.10 |
Fix Released
|
Critical
|
Doris Tam | ||
22.04 |
Fix Released
|
Critical
|
Doris Tam |
Bug Description
Portfolios should only be available to the selected people or groups of people who have been given access. This is the case for personal portfolios. However, a change introduced in Mahara 21.04 invalidated the permissions check for group, institution, and site portfolios.
To replicate:
Group:
1. Create a private group with the setting 'Publicly viewable group' set to 'No'.
2. Create a page within the group and copy the URL when the page is in 'Display' mode.
3. Open a private browser window and go to the copied URL.
Results:
- Expected: The site redirects to the login page.
- Actual: The private group page can be seen without logging in.
Institution:
1. Create an institution.
2. Create an institution page and do not share it with anybody.
3. Open a private browser window and go to the copied URL.
Results:
- Expected: The site redirects to the login page.
- Actual: The institution page can be seen without logging in.
Site:
1. Create a site page and do not share it with anybody.
2. Open a private browser window and go to the copied URL.
Results:
- Expected: The site redirects to the login page.
- Actual: The site page can be seen without logging in.
CVE References
summary: |
- Private group pages can be accessed without logging by going to the url + Private group pages can be accessed without logging in by going to the + url |
summary: |
- Private group pages can be accessed without logging in by going to the - url + Private group, site, or institution portfolios can be accessed by the + URL without logging in |
description: | updated |
information type: | Private Security → Public Security |
Text to publish in the security forum upon publication:
Private group pages can be accessed without logging in by going to the URL /bugs.launchpad .net/mahara/ +bug/1959146
https:/
Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Affected components: Portfolios created in groups, on the institution, and the site level that have not been shared with anybody.
Suggested description: In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known.
Reported by: Doris Tam /bugs.launchpad .net/mahara/ +bug/1959146
Bug report: https:/
CVE reference: CVE-2022-24111