mahara-contributors team mailing list archive

Thread
Date

[Bug 1385564] Re: Can illegially access pages that contain a secret url by normal url

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1385564@xxxxxxxxxxxxxxxxxx>
Date: Tue, 28 Oct 2014 12:46:58 -0000
Reply-to: Bug 1385564 <1385564@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I've pushed a patch to clear secret-url access cookies on logout. I'm
also changing this one from "Private security" to "Public security"
because it is more a problem with the setup of the public computers,
than with Mahara itself.

** Changed in: mahara
   Importance: Critical => Low

** Information type changed from Private Security to Public Security

** Summary changed:

- Can illegially access pages that contain a secret url by normal url
+ Secret URLs used on public computers

** Summary changed:

- Secret URLs used on public computers
+ Secret URLs used on public computers leak access to later users of the same browser session

** Summary changed:

- Secret URLs used on public computers leak access to later users of the same browser session
+ Secret URLs used on public computers leak access to later users of the same browser

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1385564

Title:
  Secret URLs used on public computers leak access to later users of the
  same browser

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  If a user (or group) creates a private page and gives it a secret URL,
  and then the page is accessed by the secret URL on a public computer
  and the user doesn't close their browser window afterwards, other
  users will also be able to access that page by its normal url or its
  secret URL.

  This can defy user expectations of access rights.

  Eg
  1. group A admin creates a page and shares it only with the group, the page has the id=8
  2. group A admin create a secret url for the page, eg /view/view.php?t=nFlSjpVuUCawH6TxP7A3
  3. User 1, who is not in the group, goes to the page by its secret URL. (While using a computer at the library.)
  4. User 1 then logs out, but doesn't close their browser window.
  5. User 2 comes to the computer and goes to /view/view.php?id=8

  Expected result - User 2 can't access the page as they don't know the
  secret url

  Actual result - User 2 can access the page

  This is reported here:
  https://mahara.org/interaction/forum/topic.php?id=6520

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1385564/+subscriptions