Session key not checked in admin/users/addtoinstitution.php

Bug #800032 reported by Richard Mansfield
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Richard Mansfield
1.3
High
Richard Mansfield

Bug Description

The addtoinstitution.php script, for adding users to institutions, doesn't check the user session key, & could be used to trick an admin into granting institution membership.

Easiest fix is probably to remove the script and move its contents into a pieform submit function. The script is linked to from the admin user search page when viewed by an institutional admin for users who have requested institution membership.

CVE References

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

This patch is for master (fb05fba459). In a day or so it will no longer apply cleanly, but I'm leaving it here so I don't forget about it.

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

On master, a fix for this is no longer necessary due to commit 6ba726582a

On 1.3/1.4, we just need to remove the script; it's unreachable anyway due to bug #800020

Earlier versions may need a real fix along the lines of the patch in the last comment.

Revision history for this message
François Marier (fmarier) wrote :

Richard, if this is fixed on master and it was never reachable, then this is no longer a security issue, no?

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

1.4 patch

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

1.3 patch

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

Sorry, reachable was a bad word. It *is* reachable, just not through legit means, because the link to that script is never displayed on the site.

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Changed in mahara:
status: Confirmed → In Progress
Changed in mahara:
status: In Progress → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers