mahara-contributors team mailing list archive

Thread
Date
[Bug 1211758] Re: Arbitrary image download

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1211758@xxxxxxxxxxxxxxxxxx>
Date: Thu, 03 Oct 2013 09:21:03 -0000
Reply-to: Bug 1211758 <1211758@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1211758

Title:
  Arbitrary image download

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.5 series:
  Fix Released
Status in Mahara 1.6 series:
  Fix Released
Status in Mahara 1.7 series:
  Fix Released
Status in Mahara 1.8 series:
  Fix Committed

Bug description:
  I've discovered a few vulnerabilities within Mahara that allow any
  user to view private images + blog posts of other users. Disclosure: I
  know nothing about Mahara and have only used it for the last 2-3
  hours, please forgive me if I am wrong in my assumptions about the
  architecture/functionality.

  #1: Upload permissions are not properly checked when creating a journal
  When creating a journal entry a user can attach any arbitrary object by ID. From what I can tell every object (file, journal, picture etc) are the same object (artifact?), or at least all have a unique ID. This means that if use the file browser to select a file that you can view, then modify the ID (using Chromes developer tools or in-flight using Burp) to an ID of a folder, journal entry or image then that object will be attached to the journal entry.

  Here is a screenshot of the issue: http://i.imgur.com/Lwpm808.png
  In that image Picture1.png, maxresdefaults.jpg and "tok123tok123's Journal" belong to other users (and give permission errors if you attempt to view them).

  
  #2: Object permissions and types are not correctly checked when embedding content within a page
  It is possible to embed private objects belonging to other users within a page. In this screenshot http://i.imgur.com/SShOalI.png I have created a page and attached it to a collection. None of the objects in those blocks belong to the current user (and hence are un-viewable), and all are private (the journal entry to the right is unpublished).

  You can also select an image file to be embedded as a HTML file (under
  the 'Some HTML' heading) and get the file contents. You can select a
  folder, but this causes a 500 error.

  When editing a block and selecting an upload the page sends a
  instconf_artefactid_selected[ID] parameter to the server. Simply
  manipulating the ID in the brackets and the value will let you embed
  any object.

  
  #3: Export function allows arbitrary file download
  Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra.

  I know these are not serious issues, but I'm sure there are other
  permission related issues to be found. I concentrated mainly on the
  journal and collection features.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1211758/+subscriptions