mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #14741
[Bug 1236636] Re: Can attach other users' Folders to your Image Gallery block
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1236636
Title:
Can attach other users' Folders to your Image Gallery block
Status in Mahara ePortfolio:
Fix Released
Status in Mahara 1.5 series:
Confirmed
Status in Mahara 1.6 series:
Confirmed
Status in Mahara 1.7 series:
Confirmed
Bug description:
Here's one we missed in Bug 1211758. You can manipulate the HTTP
request data when selecting the Folder for an Image Gallery (aka
"slideshow") block, to attach other users' folders.
Because you lack permission to view the images, you wind up with a
slideshow of "broken image" placeholders. But as was mentioned in
1211758, you can still access the images by exploiting the lack of
verification when you export.
I tested the Folder block, and was not able to replicate this weakness
there. So it appears to be limited to Image Gallery.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1236636/+subscriptions