mahara-contributors team mailing list archive

Thread
Date
[Bug 1211758] Re: Arbitrary image download

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1211758@xxxxxxxxxxxxxxxxxx>
Date: Thu, 03 Oct 2013 10:10:51 -0000
Reply-to: Bug 1211758 <1211758@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
We had difficulty implementing a fix for issue #3 in this bug's
description: the export of pages that already include links to other
users' artefacts. So since preventing the linking to other users'
artefacts mitigates the risk of that vulnerability somewhat, I've gone
ahead and spun that out into a separate bug:
https://bugs.launchpad.net/mahara/+bug/1234615

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1211758

Title:
  Arbitrary image download

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.5 series:
  Fix Released
Status in Mahara 1.6 series:
  Fix Released
Status in Mahara 1.7 series:
  Fix Released
Status in Mahara 1.8 series:
  Fix Committed

Bug description:
  I've discovered a few vulnerabilities within Mahara that allow any
  user to view private images + blog posts of other users. Disclosure: I
  know nothing about Mahara and have only used it for the last 2-3
  hours, please forgive me if I am wrong in my assumptions about the
  architecture/functionality.

  #1: Upload permissions are not properly checked when creating a journal
  When creating a journal entry a user can attach any arbitrary object by ID. From what I can tell every object (file, journal, picture etc) are the same object (artifact?), or at least all have a unique ID. This means that if use the file browser to select a file that you can view, then modify the ID (using Chromes developer tools or in-flight using Burp) to an ID of a folder, journal entry or image then that object will be attached to the journal entry.

  Here is a screenshot of the issue: http://i.imgur.com/Lwpm808.png
  In that image Picture1.png, maxresdefaults.jpg and "tok123tok123's Journal" belong to other users (and give permission errors if you attempt to view them).

  
  #2: Object permissions and types are not correctly checked when embedding content within a page
  It is possible to embed private objects belonging to other users within a page. In this screenshot http://i.imgur.com/SShOalI.png I have created a page and attached it to a collection. None of the objects in those blocks belong to the current user (and hence are un-viewable), and all are private (the journal entry to the right is unpublished).

  You can also select an image file to be embedded as a HTML file (under
  the 'Some HTML' heading) and get the file contents. You can select a
  folder, but this causes a 500 error.

  When editing a block and selecting an upload the page sends a
  instconf_artefactid_selected[ID] parameter to the server. Simply
  manipulating the ID in the brackets and the value will let you embed
  any object.

  
  #3: Export function allows arbitrary file download
  Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra.

  I know these are not serious issues, but I'm sure there are other
  permission related issues to be found. I concentrated mainly on the
  journal and collection features.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1211758/+subscriptions