Mahara

Private group, site, or institution portfolios can be accessed by the URL without logging in

Bug #1959146 reported by Doris Tam on 2022-01-26

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	Critical	Doris Tam	Mahara 22.04.0
21.04	Fix Released	Critical	Doris Tam	Mahara 21.04.3
21.10	Fix Released	Critical	Doris Tam	Mahara 21.10.1
22.04	Fix Released	Critical	Doris Tam	Mahara 22.04.0

Bug Description

Portfolios should only be available to the selected people or groups of people who have been given access. This is the case for personal portfolios. However, a change introduced in Mahara 21.04 invalidated the permissions check for group, institution, and site portfolios.

To replicate:

Group:

1. Create a private group with the setting 'Publicly viewable group' set to 'No'.
2. Create a page within the group and copy the URL when the page is in 'Display' mode.
3. Open a private browser window and go to the copied URL.

Results:
- Expected: The site redirects to the login page.
- Actual: The private group page can be seen without logging in.

Institution:

1. Create an institution.
2. Create an institution page and do not share it with anybody.
3. Open a private browser window and go to the copied URL.

Results:
- Expected: The site redirects to the login page.
- Actual: The institution page can be seen without logging in.

Site:

1. Create a site page and do not share it with anybody.
2. Open a private browser window and go to the copied URL.

Results:
- Expected: The site redirects to the login page.
- Actual: The site page can be seen without logging in.

See original description

CVE References

2022-24111

Kristina Hoeppner (kris-hoeppner) on 2022-01-27

summary:

- Private group pages can be accessed without logging by going to the url
+ Private group pages can be accessed without logging in by going to the
+ url

Kristina Hoeppner (kris-hoeppner) on 2022-01-27

summary:

- Private group pages can be accessed without logging in by going to the
- url
+ Private group, site, or institution portfolios can be accessed by the
+ URL without logging in

Kristina Hoeppner (kris-hoeppner) on 2022-01-27

description:

updated

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2022-02-08:

Text to publish in the security forum upon publication:

Private group pages can be accessed without logging in by going to the URL
https://bugs.launchpad.net/mahara/+bug/1959146

Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure

Affected components: Portfolios created in groups, on the institution, and the site level that have not been shared with anybody.

Suggested description: In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known.

Reported by: Doris Tam
Bug report: https://bugs.launchpad.net/mahara/+bug/1959146
CVE reference: CVE-2022-24111

Robert Lyon (robertl-9) on 2022-02-09

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.