mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #22423
[Bug 1394082] [NEW] Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
*** This bug is a security vulnerability ***
Public security bug reported:
As reported on the mahara.org forum:
https://mahara.org/interaction/forum/topic.php?id=6549
To replicate:
1. Set up a Moodle instance with the Mahara assignment submission plugin
and connect it up to your Mahara instance.
2. Create a view with ID 1000.
3. Create another view with ID 1001.
4. Make both these pages accessible to the public.
5. Set up an Mahara assignment in Moodle.
6. Submit the view with ID 1000 to Moodle as an assignment submission.
7. Note the access URL that gets generated, which will contain an MNet
access token, i.e. /view/view.php?mt=abcd1234
8. Add the ID of page 1001 to this URL:
/view/view.php?id=1001&mt=abcd1234
Expected Result: This URL should either display page 1000 every time, or
an "access denied" message
Actual Result: If you're logged in to Mahara via MNet, you see page
1000. If you're not, you see page 1001.
The cause of this problem, is that /view/view.php completely ignores the "mt=" tag if you're not logged in via MNet. In which case, if an ID is also supplied, it falls back to that.
** Affects: mahara
Importance: Low
Assignee: Aaron Wells (u-aaronw)
Status: Confirmed
** Affects: mahara/1.10
Importance: Low
Assignee: Aaron Wells (u-aaronw)
Status: Confirmed
** Affects: mahara/1.8
Importance: Low
Assignee: Aaron Wells (u-aaronw)
Status: Confirmed
** Affects: mahara/1.9
Importance: Low
Assignee: Aaron Wells (u-aaronw)
Status: Confirmed
** Affects: mahara/15.04
Importance: Low
Assignee: Aaron Wells (u-aaronw)
Status: Confirmed
** Tags: mnet
** Changed in: mahara
Milestone: None => 1.10.1
** Also affects: mahara/15.04
Importance: Undecided
Status: New
** Also affects: mahara/1.10
Importance: Undecided
Status: New
** Also affects: mahara/1.9
Importance: Undecided
Status: New
** Also affects: mahara/1.8
Importance: Undecided
Status: New
** Changed in: mahara/1.9
Milestone: None => 1.9.4
** Changed in: mahara/1.8
Milestone: None => 1.8.6
** Changed in: mahara/1.10
Milestone: None => 1.10.1
** Changed in: mahara/15.04
Milestone: 1.10.1 => 15.04.0
** Changed in: mahara/1.10
Importance: Undecided => Low
** Changed in: mahara/1.8
Importance: Undecided => Low
** Changed in: mahara/1.9
Importance: Undecided => Low
** Changed in: mahara/15.04
Importance: Undecided => Low
** Changed in: mahara/1.10
Status: New => Confirmed
** Changed in: mahara/1.8
Status: New => Confirmed
** Changed in: mahara/1.9
Status: New => Confirmed
** Changed in: mahara/15.04
Status: New => Confirmed
** Changed in: mahara/1.10
Assignee: (unassigned) => Aaron Wells (u-aaronw)
** Changed in: mahara/1.8
Assignee: (unassigned) => Aaron Wells (u-aaronw)
** Changed in: mahara/1.9
Assignee: (unassigned) => Aaron Wells (u-aaronw)
** Changed in: mahara/15.04
Assignee: (unassigned) => Aaron Wells (u-aaronw)
** Tags added: mnet
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1394082
Title:
Can create a URL that takes you to a different page depending on
whether you're logged in to MNet or not.
Status in Mahara ePortfolio:
Confirmed
Status in Mahara 1.10 series:
Confirmed
Status in Mahara 1.8 series:
Confirmed
Status in Mahara 1.9 series:
Confirmed
Status in Mahara 15.04 series:
Confirmed
Bug description:
As reported on the mahara.org forum:
https://mahara.org/interaction/forum/topic.php?id=6549
To replicate:
1. Set up a Moodle instance with the Mahara assignment submission
plugin and connect it up to your Mahara instance.
2. Create a view with ID 1000.
3. Create another view with ID 1001.
4. Make both these pages accessible to the public.
5. Set up an Mahara assignment in Moodle.
6. Submit the view with ID 1000 to Moodle as an assignment submission.
7. Note the access URL that gets generated, which will contain an MNet
access token, i.e. /view/view.php?mt=abcd1234
8. Add the ID of page 1001 to this URL:
/view/view.php?id=1001&mt=abcd1234
Expected Result: This URL should either display page 1000 every time,
or an "access denied" message
Actual Result: If you're logged in to Mahara via MNet, you see page
1000. If you're not, you see page 1001.
The cause of this problem, is that /view/view.php completely ignores the "mt=" tag if you're not logged in via MNet. In which case, if an ID is also supplied, it falls back to that.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1394082/+subscriptions
Follow ups
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2017-10-30
-
[Bug 1394082] A change has been merged
From: Mahara Bot, 2017-09-26
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2017-09-26
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2017-09-19
-
[Bug 1394082] A patch has been submitted for review
From: Mahara Bot, 2017-09-19
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Kristina Hoeppner, 2017-03-20
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2016-10-21
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2016-10-20
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Kristina Hoeppner, 2016-03-12
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2015-11-26
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2015-10-27
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2015-10-26
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2015-10-23
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2015-10-23
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2015-08-17
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2015-08-17
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2015-07-10
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2015-05-29
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2015-05-26
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2015-05-19
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Jinelle Foley-Barnes, 2015-04-20
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2015-04-20
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2015-04-20
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Son Nguyen, 2015-04-19
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2015-04-17
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2015-01-12
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2014-11-25
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Son Nguyen, 2014-11-25
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Robert Lyon, 2014-11-25
-
[Bug 1394082] Re: Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2014-11-19
-
[Bug 1394082] [NEW] Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
From: Aaron Wells, 2014-11-19
References
