mahara-contributors team mailing list archive

[Bug Watch Updater <1233500@xxxxxxxxxxxxxxxxxx>]

** Changed in: mahara (Debian)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1233500

Title:
  Not checking ownership of blocks before editing them

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.5 series:
  Fix Released
Status in Mahara 1.6 series:
  Fix Released
Status in Mahara 1.7 series:
  Fix Released
Status in “mahara” package in Debian:
  Fix Released

Bug description:
  While working on issue https://bugs.launchpad.net/mahara/+bug/1211758
  , I noticed that I could spoof the ID of the block that I wanted to
  edit, and by doing this I could edit other users' blocks. I used the
  "Burp Suite" tool to edit HTTP requests between my browser and my web
  server.

  Steps:
  1. Create a Mahara site with two users, A and B
  2. User A creates a page with a text block that has ID 35
  3. User B creates a page with a text block that has ID 105
  4. User B edits their text block, ID 105
  5. User B doctors the HTTP request so that the block ID in it is "35" instead of "105"

  Result: User A's block 35 has all of its contents overwritten by the
  settings for block 105.

  This attack could be done either by serially guessing IDs, or possibly
  by getting the ID by looking at a page that the user has view access
  to.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1233500/+subscriptions