Mahara

All private messages were accessible by wrong users

Bug #798128 reported by Teemu Vesala on 2011-06-16

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	Critical	Ruslan Kabalin	Mahara 1.4.1
	1.3	Fix Released	Critical	Ruslan Kabalin	Mahara 1.3.7

Bug Description

When "Reply to message"-functionality is used, the user who should not be able to view the PM discussion can view the whole discussion. The problem is, that at reply view 'replyto'-parameter is not handled properly. If it is changed to any existing message, the whole discussion thread is shown - no matter who the user is. Below is example of URL which is used for replies. With small guess-game the attacker can read all private messages from the system.

http://ec2-50-17-80-248.compute-1.amazonaws.com/user/sendmessage.php?id=2&replyto=6&returnto=inbox

CVE References

2011-2774

Revision history for this message

Ruslan Kabalin (rkabalin) wrote on 2011-06-16:

Thanks Teemu, well spotted!

Changed in mahara:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

Ruslan Kabalin (rkabalin) wrote on 2011-06-16:

0001-Fix-messaging-privelege-escalation-bug-798128.patch Edit (1.6 KiB, text/plain)

Given that user never replies to (a) the system messages and (b) messages addressed to someone else. This patch should fix the bug.

As the separate feature, we may remove ID as parameter completely as we always can get whom we have to reply to from the message record.

François Marier (fmarier) on 2011-06-16

Changed in mahara:
milestone:	none → 1.4.1
importance:	High → Critical

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2011-10-31:

Regarding ancient versions: the bug was only introduced with message threading in 1.3.
1.0 is unaffected - the message being replied to is not displayed.
1.2 also unaffected - you can see the message being replied to, but there is a check in there to make sure it's addressed to you & sent by the user you're sending to.

François Marier (fmarier) on 2011-10-31