Mahara

Can attach other users' Folders to your Image Gallery block

Series 1.5
Bug #1236636

Bug #1236636 reported by Aaron Wells on 2013-10-07

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	High	Aaron Wells	Mahara 1.8.0
1.5	Fix Released	High	Son Nguyen	Mahara 1.5.13
1.6	Fix Released	High	Son Nguyen	Mahara 1.6.8
1.7	Fix Released	High	Son Nguyen	Mahara 1.7.4

Bug Description

Here's one we missed in Bug 1211758. You can manipulate the HTTP request data when selecting the Folder for an Image Gallery (aka "slideshow") block, to attach other users' folders.

Because you lack permission to view the images, you wind up with a slideshow of "broken image" placeholders. But as was mentioned in 1211758, you can still access the images by exploiting the lack of verification when you export.

I tested the Folder block, and was not able to replicate this weakness there. So it appears to be limited to Image Gallery.

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2013-10-07:

https://reviews.mahara.org/2584

Aaron Wells (u-aaronw) on 2013-10-24

Changed in mahara:
status:	Confirmed → Fix Committed

Aaron Wells (u-aaronw) on 2013-10-24

Changed in mahara:
status:	Fix Committed → Fix Released

Aaron Wells (u-aaronw) on 2013-10-24

information type:

Private Security → Public Security

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2013-10-24: A change has been merged

Reviewed: https://reviews.mahara.org/2654
Committed: http://gitorious.org/mahara/mahara/commit/712e62abf67dc98449b4effc0a34516add340069
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.7_STABLE

commit 712e62abf67dc98449b4effc0a34516add340069
Author: Aaron Wells <email address hidden>
Date: Tue Oct 8 12:53:31 2013 +1300

Image Gallery: Make sure the user has access to the selected folder

Bug 1236636

Change-Id: I69deb64a5113806ec89145c1213f6a1d10038d78
Signed-off-by: Aaron Wells <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2013-10-24:

Reviewed: https://reviews.mahara.org/2652
Committed: http://gitorious.org/mahara/mahara/commit/20d88dad779e4f07aab8f886db12dbec988acde5
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.5_STABLE

commit 20d88dad779e4f07aab8f886db12dbec988acde5
Author: Aaron Wells <email address hidden>
Date: Tue Oct 8 12:53:31 2013 +1300

Image Gallery: Make sure the user has access to the selected folder

Bug 1236636

Change-Id: I69deb64a5113806ec89145c1213f6a1d10038d78
Signed-off-by: Aaron Wells <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2013-10-24:

Reviewed: https://reviews.mahara.org/2653
Committed: http://gitorious.org/mahara/mahara/commit/092cb5856c0471d79e576e59c83b228c652bce2a
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.6_STABLE

commit 092cb5856c0471d79e576e59c83b228c652bce2a
Author: Aaron Wells <email address hidden>
Date: Tue Oct 8 12:53:31 2013 +1300

Image Gallery: Make sure the user has access to the selected folder

Bug 1236636

Change-Id: I69deb64a5113806ec89145c1213f6a1d10038d78
Signed-off-by: Aaron Wells <email address hidden>

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.