** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-4431
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1233500 Title: Not checking ownership of blocks before editing them Status in Mahara ePortfolio: Fix Released Status in Mahara 1.5 series: Fix Released Status in Mahara 1.6 series: Fix Released Status in Mahara 1.7 series: Fix Released Bug description: While working on issue https://bugs.launchpad.net/mahara/+bug/1211758 , I noticed that I could spoof the ID of the block that I wanted to edit, and by doing this I could edit other users' blocks. I used the "Burp Suite" tool to edit HTTP requests between my browser and my web server. Steps: 1. Create a Mahara site with two users, A and B 2. User A creates a page with a text block that has ID 35 3. User B creates a page with a text block that has ID 105 4. User B edits their text block, ID 105 5. User B doctors the HTTP request so that the block ID in it is "35" instead of "105" Result: User A's block 35 has all of its contents overwritten by the settings for block 105. This attack could be done either by serially guessing IDs, or possibly by getting the ID by looking at a page that the user has view access to. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1233500/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp