mahara-contributors team mailing list archive

Thread
Date

[Bug 1158625] Re: Make profile information not avaialble for public when not shared

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1158625@xxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Jul 2013 01:30:36 -0000
Reply-to: Bug 1158625 <1158625@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

In order to avoid a username enumeration vulnerability on this, we
should make sure that the message you see when trying to access a
profile page you don't have access to, is the same as the message you
see when trying to access a profile page that doesn't exist. This is
especially true when clean urls are in place.

https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_
%28OWASP-AT-002%29

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1158625

Title:
  Make profile information not avaialble for public when not shared

Status in Mahara ePortfolio:
  In Progress
Status in Mahara 1.5 series:
  In Progress
Status in Mahara 1.6 series:
  In Progress
Status in Mahara 1.7 series:
  New

Bug description:
  From at least Mahara 1.6 on, very basic information about a user
  (profile picture, name, institution) is made public when public pages
  are allowed. This information is displayed even when the user hasn't
  shared their portfolio with the public. This came about when changes
  were made to the logged-in user profile access.

  In the past (at least up to 1.4), you only saw the login screen when
  you tried to access a profile of a user but were not logged in. This
  should be the case again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions