mahara-contributors team mailing list archive

Thread
Date

[Bug 798128] Re: All private messages were accessible by wrong users

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: François Marier <francois@xxxxxxxxxx>
Date: Thu, 03 Nov 2011 22:14:49 -0000
Reply-to: Bug 798128 <798128@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara/1.3
       Status: In Progress => Fix Released

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/798128

Title:
  All private messages were accessible by wrong users

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.3 series:
  Fix Released

Bug description:
  When "Reply to message"-functionality is used, the user who should not
  be able to view the PM discussion can view the whole discussion. The
  problem is, that at reply view 'replyto'-parameter is not handled
  properly. If it is changed to any existing message, the whole
  discussion thread is shown - no matter who the user is. Below is
  example of URL which is used for replies. With small guess-game the
  attacker can read all private messages from the system.

  http://ec2-50-17-80-248.compute-1.amazonaws.com/user/sendmessage.php?id=2&replyto=6&returnto=inbox

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/798128/+subscriptions