mahara-contributors team mailing list archive

Thread
Date

[Bug 1233500] Re: Not checking ownership of blocks before editing them

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1233500@xxxxxxxxxxxxxxxxxx>
Date: Thu, 24 Oct 2013 04:24:02 -0000
Reply-to: Bug 1233500 <1233500@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** No longer affects: mahara/1.8

** Changed in: mahara
Status: Fix Committed => Fix Released

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1233500

Title:
Not checking ownership of blocks before editing them

Status in Mahara ePortfolio:
Fix Released
Status in Mahara 1.5 series:
Fix Released
Status in Mahara 1.6 series:
Fix Released
Status in Mahara 1.7 series:
Fix Released

Bug description:
While working on issue https://bugs.launchpad.net/mahara/+bug/1211758
, I noticed that I could spoof the ID of the block that I wanted to
edit, and by doing this I could edit other users' blocks. I used the
"Burp Suite" tool to edit HTTP requests between my browser and my web
server.

Steps:
1. Create a Mahara site with two users, A and B
2. User A creates a page with a text block that has ID 35
3. User B creates a page with a text block that has ID 105
4. User B edits their text block, ID 105
5. User B doctors the HTTP request so that the block ID in it is "35" instead of "105"

Result: User A's block 35 has all of its contents overwritten by the
settings for block 105.

This attack could be done either by serially guessing IDs, or possibly
by getting the ID by looking at a page that the user has view access
to.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1233500/+subscriptions