Mahara

Session key not checked in admin/users/addtoinstitution.php

Bug #800032 reported by Richard Mansfield on 2011-06-21

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	High	Richard Mansfield	Mahara 1.4.1
	1.3	Fix Released	High	Richard Mansfield	Mahara 1.3.7

Bug Description

The addtoinstitution.php script, for adding users to institutions, doesn't check the user session key, & could be used to trick an admin into granting institution membership.

Easiest fix is probably to remove the script and move its contents into a pieform submit function. The script is linked to from the admin user search page when viewed by an institutional admin for users who have requested institution membership.

CVE References

2011-2773

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2011-06-21:

#1

Patch for master Edit (9.0 KiB, text/plain)

This patch is for master (fb05fba459). In a day or so it will no longer apply cleanly, but I'm leaving it here so I don't forget about it.

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2011-09-13:

#2

On master, a fix for this is no longer necessary due to commit 6ba726582a

On 1.3/1.4, we just need to remove the script; it's unreachable anyway due to bug #800020

Earlier versions may need a real fix along the lines of the patch in the last comment.

Revision history for this message

François Marier (fmarier) wrote on 2011-10-26:

#3

Richard, if this is fixed on master and it was never reachable, then this is no longer a security issue, no?

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2011-10-26:

#4

0001-Remove-unreachable-addtoinstitution.php-script-bug-8.patch Edit (2.8 KiB, text/plain)

1.4 patch

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2011-10-26:

#5

0001-Remove-unreachable-addtoinstitution.php-script-bug-8.patch Edit (2.8 KiB, text/plain)

1.3 patch

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2011-10-26:

#6

Sorry, reachable was a bad word. It *is* reachable, just not through legit means, because the link to that script is never displayed on the site.

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2011-10-31:

#7

1.2 patch Edit (3.1 KiB, text/plain)

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2011-10-31:

#8

1.0 patch Edit (3.1 KiB, text/plain)

François Marier (fmarier) on 2011-10-31

Changed in mahara:
status:	Confirmed → In Progress

François Marier (fmarier) on 2011-11-03

Changed in mahara:
status:	In Progress → Fix Released

François Marier (fmarier) on 2011-11-03

visibility:

private → public

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.