mahara-contributors team mailing list archive

Thread
Date

[Bug 884223] Re: Administrators masquerading as other users can jump to remote XMLRPC applications as that other user

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: François Marier <francois@xxxxxxxxxx>
Date: Wed, 16 Nov 2011 09:09:13 -0000
Reply-to: Bug 884223 <884223@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4118

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/884223

Title:
  Administrators masquerading as other users can jump to remote XMLRPC
  applications as that other user

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.3 series:
  Fix Released

Bug description:
  With MNet set up, if a user logs in as another user, and jumps to an
  XMLRPC target, they're logged in to that target as the child user in
  the login as.

  This really shouldn't be the case. If a two application are joined but
  have different administrators, then this would potentially allow  for
  privilege escalation.

  If the local application administrator knows of an account which is an
  administrator on a remote application, then they could log in as that
  user on the local application, and jump to the remote application
  thereby escalating their privileges.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/884223/+subscriptions