Mahara

All private messages were accessible by wrong users

Bug #798128 reported by Teemu Vesala on 2011-06-16

258

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

Mahara

Fix Released

Critical

Ruslan Kabalin

Mahara 1.4.1

You need to log in to change this bug's status.

Affecting:	Mahara
Filed here by:	Teemu Vesala
When:	2011-06-16
Confirmed:	2011-06-16
Assigned:	2011-10-31
Started work:	2011-10-31
Completed:	2011-11-03

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance	Milestone
	Critical	Mahara 1.4.1

Assigned to

	Me
	Ruslan Kabalin (rkabalin)

Comment on this change (optional)

Email me about changes to this bug report

1.3

Fix Released

Critical

Ruslan Kabalin

Mahara 1.3.7

You need to log in to change this bug's status.

Affecting:	Mahara 1.3
Filed here by:	François Marier
When:	2011-06-16
Confirmed:	2011-06-16
Assigned:	2011-10-31
Started work:	2011-10-31
Completed:	2011-11-03

Status	Importance	Milestone
	Critical	Mahara 1.3.7

Assigned to

	Me
	Ruslan Kabalin (rkabalin)

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

When "Reply to message"-functionality is used, the user who should not be able to view the PM discussion can view the whole discussion. The problem is, that at reply view 'replyto'-parameter is not handled properly. If it is changed to any existing message, the whole discussion thread is shown - no matter who the user is. Below is example of URL which is used for replies. With small guess-game the attacker can read all private messages from the system.

http://ec2-50-17-80-248.compute-1.amazonaws.com/user/sendmessage.php?id=2&replyto=6&returnto=inbox

Add tags Tag help

CVE References

2011-2774

Ruslan Kabalin (rkabalin) wrote on 2011-06-16:

Thanks Teemu, well spotted!

Changed in mahara:
status:	New → Confirmed
importance:	Undecided → High

Ruslan Kabalin (rkabalin) wrote on 2011-06-16:

0001-Fix-messaging-privelege-escalation-bug-798128.patch Edit (1.6 KiB, text/plain)

Given that user never replies to (a) the system messages and (b) messages addressed to someone else. This patch should fix the bug.

As the separate feature, we may remove ID as parameter completely as we always can get whom we have to reply to from the message record.

François Marier (fmarier) on 2011-06-16

Changed in mahara:
milestone:	none → 1.4.1
importance:	High → Critical

Richard Mansfield (richard-mansfield) wrote on 2011-10-31:

Regarding ancient versions: the bug was only introduced with message threading in 1.3.
1.0 is unaffected - the message being replied to is not displayed.
1.2 also unaffected - you can see the message being replied to, but there is a check in there to make sure it's addressed to you & sent by the user you're sending to.

François Marier (fmarier) on 2011-10-31