Session key not checked in admin/users/addtoinstitution.php

Bug #800032 reported by Richard Mansfield on 2011-06-21
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Richard Mansfield
1.3
High
Richard Mansfield

Bug Description

The addtoinstitution.php script, for adding users to institutions, doesn't check the user session key, & could be used to trick an admin into granting institution membership.

Easiest fix is probably to remove the script and move its contents into a pieform submit function. The script is linked to from the admin user search page when viewed by an institutional admin for users who have requested institution membership.

CVE References

This patch is for master (fb05fba459). In a day or so it will no longer apply cleanly, but I'm leaving it here so I don't forget about it.

On master, a fix for this is no longer necessary due to commit 6ba726582a

On 1.3/1.4, we just need to remove the script; it's unreachable anyway due to bug #800020

Earlier versions may need a real fix along the lines of the patch in the last comment.

François Marier (fmarier) wrote :

Richard, if this is fixed on master and it was never reachable, then this is no longer a security issue, no?

Sorry, reachable was a bad word. It *is* reachable, just not through legit means, because the link to that script is never displayed on the site.

Changed in mahara:
status: Confirmed → In Progress
Changed in mahara:
status: In Progress → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers