[Mahara-contributors] [Bug 1447377] Re: Stored XSS in user reports access lists, and shared tabs for user/group/institution

Thu, 28 May 2015 17:16:47 -0700 

** Changed in: mahara/1.10
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1447377

Title:
  Stored XSS in user reports access lists, and shared tabs for
  user/group/institution

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 1.9 series:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Committed

Bug description:
  This one requires a malicious institution admin, but could still
  result in privilege escalation to full admin.

  Steps to reproduce:
  - As admin, create a new institution, and a new user with admin rights in 
that institution
  - Log in as new institution admin, change name of institution to 
"<script>alert(1);</script>"
  - Add some new users to the institution, their profile pages will 
automatically be shared with the institution
  - If full admin runs a user report on that new user now, and views access 
list, they will see the XSS
  - If a user shares a page with this institution, then views "Shared by me", 
then it will trigger
  - If a group shares a page ..., it will trigger
  - If a institution shares a page ..., it will trigger (can be a different 
institution, just have to be in same institution to be able to share with it 
(or it is searchable?)).

  Mainly low risk, as doesn't gain privilege, but the full admin may
  view access list report of all users legitimately, so that makes it
  critical as privilege escalation is possible (walled gardens setups
  where lots of institution admins, and they aren't full admins).

  Patch to come.

  Cheers,

  Hugh

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1447377/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to