All private messages were accessible by wrong users

Bug #798128 reported by Teemu Vesala on 2011-06-16
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Critical
Ruslan Kabalin
1.3
Critical
Ruslan Kabalin

Bug Description

When "Reply to message"-functionality is used, the user who should not be able to view the PM discussion can view the whole discussion. The problem is, that at reply view 'replyto'-parameter is not handled properly. If it is changed to any existing message, the whole discussion thread is shown - no matter who the user is. Below is example of URL which is used for replies. With small guess-game the attacker can read all private messages from the system.

http://ec2-50-17-80-248.compute-1.amazonaws.com/user/sendmessage.php?id=2&replyto=6&returnto=inbox

CVE References

Ruslan Kabalin (rkabalin) wrote :

Thanks Teemu, well spotted!

Changed in mahara:
status: New → Confirmed
importance: Undecided → High
Ruslan Kabalin (rkabalin) wrote :

Given that user never replies to (a) the system messages and (b) messages addressed to someone else. This patch should fix the bug.

As the separate feature, we may remove ID as parameter completely as we always can get whom we have to reply to from the message record.

Changed in mahara:
milestone: none → 1.4.1
importance: High → Critical

Regarding ancient versions: the bug was only introduced with message threading in 1.3.
1.0 is unaffected - the message being replied to is not displayed.
1.2 also unaffected - you can see the message being replied to, but there is a check in there to make sure it's addressed to you & sent by the user you're sending to.

Changed in mahara:
assignee: nobody → Ruslan Kabalin (rkabalin)
status: Confirmed → In Progress
Changed in mahara:
status: In Progress → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers