We had difficulty implementing a fix for issue #3 in this bug's description: the export of pages that already include links to other users' artefacts. So since preventing the linking to other users' artefacts mitigates the risk of that vulnerability somewhat, I've gone ahead and spun that out into a separate bug: https://bugs.launchpad.net/mahara/+bug/1234615
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1211758 Title: Arbitrary image download Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: Fix Released Status in Mahara 1.6 series: Fix Released Status in Mahara 1.7 series: Fix Released Status in Mahara 1.8 series: Fix Committed Bug description: I've discovered a few vulnerabilities within Mahara that allow any user to view private images + blog posts of other users. Disclosure: I know nothing about Mahara and have only used it for the last 2-3 hours, please forgive me if I am wrong in my assumptions about the architecture/functionality. #1: Upload permissions are not properly checked when creating a journal When creating a journal entry a user can attach any arbitrary object by ID. From what I can tell every object (file, journal, picture etc) are the same object (artifact?), or at least all have a unique ID. This means that if use the file browser to select a file that you can view, then modify the ID (using Chromes developer tools or in-flight using Burp) to an ID of a folder, journal entry or image then that object will be attached to the journal entry. Here is a screenshot of the issue: http://i.imgur.com/Lwpm808.png In that image Picture1.png, maxresdefaults.jpg and "tok123tok123's Journal" belong to other users (and give permission errors if you attempt to view them). #2: Object permissions and types are not correctly checked when embedding content within a page It is possible to embed private objects belonging to other users within a page. In this screenshot http://i.imgur.com/SShOalI.png I have created a page and attached it to a collection. None of the objects in those blocks belong to the current user (and hence are un-viewable), and all are private (the journal entry to the right is unpublished). You can also select an image file to be embedded as a HTML file (under the 'Some HTML' heading) and get the file contents. You can select a folder, but this causes a 500 error. When editing a block and selecting an upload the page sends a instconf_artefactid_selected[ID] parameter to the server. Simply manipulating the ID in the brackets and the value will let you embed any object. #3: Export function allows arbitrary file download Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra. I know these are not serious issues, but I'm sure there are other permission related issues to be found. I concentrated mainly on the journal and collection features. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1211758/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp