mahara-contributors team mailing list archive

Thread
Date

[Bug 1236636] Re: Can attach other users' Folders to your Image Gallery block

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1236636@xxxxxxxxxxxxxxxxxx>
Date: Thu, 24 Oct 2013 06:43:53 -0000
Reply-to: Bug 1236636 <1236636@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1236636

Title:
  Can attach other users' Folders to your Image Gallery block

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.5 series:
  Confirmed
Status in Mahara 1.6 series:
  Confirmed
Status in Mahara 1.7 series:
  Confirmed

Bug description:
  Here's one we missed in Bug 1211758. You can manipulate the HTTP
  request data when selecting the Folder for an Image Gallery (aka
  "slideshow") block, to attach other users' folders.

  Because you lack permission to view the images, you wind up with a
  slideshow of "broken image" placeholders. But as was mentioned in
  1211758, you can still access the images by exploiting the lack of
  verification when you export.

  I tested the Folder block, and was not able to replicate this weakness
  there. So it appears to be limited to Image Gallery.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1236636/+subscriptions