mahara-contributors team mailing list archive

[Aaron Wells <1429647@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Private security bug reported:

In analyzing watchlist bug 1429505 (pages stay on your watchlist even if
you lose access to them) I noticed a couple of things in the code:

1. You apparently still can receive watchlist notifications about pages
on your watchlist which you don't have access to.

2. There are no access control checks in togglewatchlist.json.php, so it
is apparently possible to add a page to your watchlist even if you don't
have access to it.

Together, these bugs mean that a user could watch private pages, and
receive notifications about changes to those pages. While these
notifications would not contain the actual page content, they would
contain the title of the page and the names of blocks and/or artefacts
changed in the page.

** Affects: mahara
     Importance: Medium
         Status: Triaged

** Affects: mahara/1.10
     Importance: Medium
         Status: Triaged

** Affects: mahara/1.8
     Importance: Medium
         Status: Triaged

** Affects: mahara/1.9
     Importance: Medium
         Status: Triaged

** Affects: mahara/15.04
     Importance: Medium
         Status: Triaged

** Affects: mahara/15.10
     Importance: Medium
         Status: Triaged


** Tags: security viewaccess watchlist

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1429647

Title:
  Watchlist lets you watch and receive notifications about pages you
  don't have view access to

Status in Mahara ePortfolio:
  Triaged
Status in Mahara 1.10 series:
  Triaged
Status in Mahara 1.8 series:
  Triaged
Status in Mahara 1.9 series:
  Triaged
Status in Mahara 15.04 series:
  Triaged
Status in Mahara 15.10 series:
  Triaged

Bug description:
  In analyzing watchlist bug 1429505 (pages stay on your watchlist even
  if you lose access to them) I noticed a couple of things in the code:

  1. You apparently still can receive watchlist notifications about
  pages on your watchlist which you don't have access to.

  2. There are no access control checks in togglewatchlist.json.php, so
  it is apparently possible to add a page to your watchlist even if you
  don't have access to it.

  Together, these bugs mean that a user could watch private pages, and
  receive notifications about changes to those pages. While these
  notifications would not contain the actual page content, they would
  contain the title of the page and the names of blocks and/or artefacts
  changed in the page.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1429647/+subscriptions