Private group, site, or institution portfolios can be accessed by the URL without logging in

Bug #1959146 reported by Doris Tam
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Critical
Doris Tam
21.04
Fix Released
Critical
Doris Tam
21.10
Fix Released
Critical
Doris Tam
22.04
Fix Released
Critical
Doris Tam

Bug Description

Portfolios should only be available to the selected people or groups of people who have been given access. This is the case for personal portfolios. However, a change introduced in Mahara 21.04 invalidated the permissions check for group, institution, and site portfolios.

To replicate:

Group:

1. Create a private group with the setting 'Publicly viewable group' set to 'No'.
2. Create a page within the group and copy the URL when the page is in 'Display' mode.
3. Open a private browser window and go to the copied URL.

Results:
- Expected: The site redirects to the login page.
- Actual: The private group page can be seen without logging in.

Institution:

1. Create an institution.
2. Create an institution page and do not share it with anybody.
3. Open a private browser window and go to the copied URL.

Results:
- Expected: The site redirects to the login page.
- Actual: The institution page can be seen without logging in.

Site:

1. Create a site page and do not share it with anybody.
2. Open a private browser window and go to the copied URL.

Results:
- Expected: The site redirects to the login page.
- Actual: The site page can be seen without logging in.

CVE References

summary: - Private group pages can be accessed without logging by going to the url
+ Private group pages can be accessed without logging in by going to the
+ url
summary: - Private group pages can be accessed without logging in by going to the
- url
+ Private group, site, or institution portfolios can be accessed by the
+ URL without logging in
description: updated
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Text to publish in the security forum upon publication:

Private group pages can be accessed without logging in by going to the URL
https://bugs.launchpad.net/mahara/+bug/1959146

Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure

Affected components: Portfolios created in groups, on the institution, and the site level that have not been shared with anybody.

Suggested description: In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known.

Reported by: Doris Tam
Bug report: https://bugs.launchpad.net/mahara/+bug/1959146
CVE reference: CVE-2022-24111

Robert Lyon (robertl-9)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers