Administrators masquerading as other users can jump to remote XMLRPC applications as that other user
Bug #884223 reported by
Andrew Nicols
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Andrew Nicols | ||
1.3 |
Fix Released
|
High
|
François Marier |
Bug Description
With MNet set up, if a user logs in as another user, and jumps to an XMLRPC target, they're logged in to that target as the child user in the login as.
This really shouldn't be the case. If a two application are joined but have different administrators, then this would potentially allow for privilege escalation.
If the local application administrator knows of an account which is an administrator on a remote application, then they could log in as that user on the local application, and jump to the remote application thereby escalating their privileges.
CVE References
Changed in mahara: | |
status: | In Progress → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
To post a comment you must log in.
Definitely affects master