Information disclosure in my friends pagination script

Bug #772140 reported by Richard Mansfield on 2011-04-28
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Richard Mansfield
1.3
High
Richard Mansfield

Bug Description

There are three problems with this script:
1. It takes a block id, but doesn't check that the logged-in user is allowed to see the view that the block appears in.
2. It takes a user id, and doesn't check that the user id matches the id of the view owner.
3. It returns a list of friends with too much information; it should only return the html to replace the block content.

Does not affect Mahara 1.2 (there was no friends block pagination).

CVE References

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
visibility: private → public
Changed in mahara:
status: In Progress → Fix Committed
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers