Arbitrary image download
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Robert Lyon | ||
1.5 |
Fix Released
|
High
|
Unassigned | ||
1.6 |
Fix Released
|
High
|
Unassigned | ||
1.7 |
Fix Released
|
High
|
Unassigned | ||
mahara (Debian) |
Fix Released
|
Unknown
|
Bug Description
I've discovered a few vulnerabilities within Mahara that allow any user to view private images + blog posts of other users. Disclosure: I know nothing about Mahara and have only used it for the last 2-3 hours, please forgive me if I am wrong in my assumptions about the architecture/
#1: Upload permissions are not properly checked when creating a journal
When creating a journal entry a user can attach any arbitrary object by ID. From what I can tell every object (file, journal, picture etc) are the same object (artifact?), or at least all have a unique ID. This means that if use the file browser to select a file that you can view, then modify the ID (using Chromes developer tools or in-flight using Burp) to an ID of a folder, journal entry or image then that object will be attached to the journal entry.
Here is a screenshot of the issue: http://
In that image Picture1.png, maxresdefaults.jpg and "tok123tok123's Journal" belong to other users (and give permission errors if you attempt to view them).
#2: Object permissions and types are not correctly checked when embedding content within a page
It is possible to embed private objects belonging to other users within a page. In this screenshot http://
You can also select an image file to be embedded as a HTML file (under the 'Some HTML' heading) and get the file contents. You can select a folder, but this causes a 500 error.
When editing a block and selecting an upload the page sends a instconf_
#3: Export function allows arbitrary file download
Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra.
I know these are not serious issues, but I'm sure there are other permission related issues to be found. I concentrated mainly on the journal and collection features.
CVE References
description: | updated |
description: | updated |
Changed in mahara: | |
importance: | Undecided → High |
Changed in mahara: | |
assignee: | Aaron Wells (u-aaronw) → nobody |
assignee: | nobody → Robert Lyon (robertl-9) |
Changed in mahara: | |
status: | Triaged → Confirmed |
information type: | Private Security → Public Security |
no longer affects: | mahara/1.8 |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Changed in mahara (Debian): | |
status: | Unknown → Confirmed |
Changed in mahara (Debian): | |
status: | Confirmed → Fix Released |
Nobody seemed interested so I made it public. Its not exactly a 0day anyway.