Blogs get deleted without sesskey check

Bug #676336 reported by Richard Mansfield
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Richard Mansfield
1.3
Fix Released
High
Richard Mansfield
mahara (Ubuntu)
Fix Released
Medium
Artur Rona
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned
Natty
Fix Released
Medium
Artur Rona

Bug Description

Permissions are checked but the sesskey is neither passed nor checked
e.g. artefact/blog/index.php?delete=123

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Changed in mahara:
milestone: none → 1.2.7
Changed in mahara:
importance: Undecided → High
Changed in mahara:
status: New → Fix Committed
Changed in mahara:
assignee: nobody → Richard Mansfield (richard-mansfield)
Changed in mahara (Ubuntu):
assignee: nobody → François Marier (fmarier)
status: New → In Progress
Revision history for this message
François Marier (fmarier) wrote :
Revision history for this message
François Marier (fmarier) wrote :
Revision history for this message
François Marier (fmarier) wrote :

Please note that both debdiffs are currently embargoed and should not be released while this bug is private.

We'll change the bug status once the upstream release has happened and therefore made these problems public.

Changed in mahara:
status: Fix Committed → Fix Released
visibility: private → public
Revision history for this message
François Marier (fmarier) wrote :

This security vulnerability is now public.

Revision history for this message
François Marier (fmarier) wrote :

Oops, that Natty debdiff is not for natty at all, but rather for Maverick!

Revision history for this message
François Marier (fmarier) wrote :

Here a deb diff for Maverick

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Subscribing ubuntu-security-sponsors, as this is a security update.

Artur Rona (ari-tczew)
Changed in mahara (Ubuntu):
assignee: François Marier (fmarier) → Artur Rona (ari-tczew)
importance: Undecided → Medium
Revision history for this message
Artur Rona (ari-tczew) wrote :

Thank you for your time and efforts making Ubuntu better! However, there are some issues:

1) You used package version 1.2.5-2, but current natty's version is 1.2.6-2. Could you check it?

2) Natty is already development stage and you shouldn't use -security target. Please use just natty.

3) In d/changelog:
  - You used .dpatch for describe files, but they've been called .patch.
  - Please add (LP: #BUGNUMBER) to appropriate fields.

4) Improve DEP3 tags:
  - Origin: upstream, - please give a http link to bazaar/git/svn upstream where we can browse patch.
  - Please use short URL, so: Bug: https://launchpad.net/bugs/710428

Please also consider fix the rest patches with suggestions above.

Changed in mahara (Ubuntu Natty):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → Incomplete
Revision history for this message
François Marier (fmarier) wrote :

Hi Artur,

Disregard the natty patch, I'll be filing a sync request from unstable for that one.

Cheers,
Francois

Changed in mahara (Ubuntu Natty):
status: Incomplete → Invalid
Revision history for this message
Artur Rona (ari-tczew) wrote :

Please don't set status as Invalid cause natty is affected and invalid means that bug doesn't affect natty. You can resolve it by two ways:
1 - use tag LP: #676336 in d/changelog in Debian unstable and file individual report for sync
2 - if you don't have LP tag in d/changelog, please just comment package to sync here and we will handle sync.

Changed in mahara (Ubuntu Natty):
status: Invalid → New
Revision history for this message
François Marier (fmarier) wrote :

Artur, sorry about that.

The package to sync from sid to natty is mahara 1.2.7-1:

mahara (1.2.7-1) unstable; urgency=high

  * New upstream security release:
    - CVE-2011-0439 (XSS in select boxes)
    - CVE-2011-0440 (CSRF when deleting blogs)

  * Add Italian debconf translation (closes: #606378)
  * Add Danish debconf translation (closes: #597766)
  * Bump debhelper compatibility to 8

Revision history for this message
Artur Rona (ari-tczew) wrote :

MOTU SWAT ACK.

Thank you for your contribution!

Changed in mahara (Ubuntu Natty):
assignee: nobody → Artur Rona (ari-tczew)
status: New → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

    mahara | 1.2.7-1 | natty/universe | source, all

Changed in mahara (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in mahara (Ubuntu Lucid):
status: New → Confirmed
Changed in mahara (Ubuntu Maverick):
status: New → Confirmed
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

François, if you could in the future include URLs to the patches, it would be much easier to reconcile them:

+Origin: upstream, commit:3b1dc78070988b68fa7a8495c19957d83c204d95

maps to:

http://gitorious.org/mahara/mahara/commit/3b1dc78070988b68fa7a8495c19957d83c204d95

+Origin: upstream, commit:fcee1996e56588f2f0f54f627d3b75e695b03e1b

maps to:

http://gitorious.org/mahara/mahara/commit/fcee1996e56588f2f0f54f627d3b75e695b03e1b

Which took a fair bit of investigation to figure out.

However, these look exactly clean, and the patches fix a security vulnerability, so I see no reason to delay uploading them.

As Artur said, the url would be much more useful than just the commit ID.

I've built with the debdiffs for lucid and maverick, and installed them. I was able to perform the mahara install and browse the site. I didn't try to reproduce the security vulnerabilities, as creating users and sending emails from inside a chroot can be difficult, but the code fixes are extremely straightforward and identical to the patches applied upstream, so I'm confident the issue is resolved.

As such I've marked the Lucid and Maverick tasks as confirmed.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the patches! Sorry for the delay; I am processing these now. I might mention that in the future to follow https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for versions (eg, maverick should have 1.2.5-2ubuntu0.1) and to reference the bug number in the changelog (eg LP: #676336). I did both of these and have uploaded to the security ppa. I will publish once they are done building.

Changed in mahara (Ubuntu Maverick):
status: Confirmed → Fix Committed
Changed in mahara (Ubuntu Lucid):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.2.5-2ubuntu0.1

---------------
mahara (1.2.5-2ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: cross-site scripting vulnerability
    - debian/patches/CVE-2011-0439.dpatch: upstream patch
    - CVE-2011-0439
    - LP: #676336
  * SECURITY UPDATE: possible cross-site request forgery (deleting blogs)
    - debian/patches/CVE-2011-0440.dpatch: upstream patch
    - CVE-2011-0440
 -- Francois Marier <email address hidden> Fri, 25 Mar 2011 16:38:51 +1300

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.2.4-1ubuntu0.2

---------------
mahara (1.2.4-1ubuntu0.2) lucid-security; urgency=low

  * SECURITY UPDATE: cross-site scripting vulnerability
    - debian/patches/CVE-2011-0439.dpatch: upstream patch
    - CVE-2011-0439
    - LP: #676336

  * SECURITY UPDATE: possible cross-site request forgery (deleting blogs)
    - debian/patches/CVE-2011-0440.dpatch: upstream patch
    - CVE-2011-0440
 -- Francois Marier <email address hidden> Fri, 18 Mar 2011 15:51:03 +1300

Changed in mahara (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in mahara (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers