mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #53497
[Bug 1817221] Re: A site admin can access Mahara 'root' user and break the site
** Changed in: mahara/18.10
Status: Fix Committed => Fix Released
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1817221
Title:
A site admin can access Mahara 'root' user and break the site
Status in Mahara:
Fix Released
Status in Mahara 17.10 series:
Fix Released
Status in Mahara 18.04 series:
Fix Released
Status in Mahara 18.10 series:
Fix Released
Status in Mahara 19.04 series:
Fix Released
Bug description:
A site admin can break the site by suspending the 'root' user
To replicate:
1) Login in as a site admin
2) Go to Administration -> Users -> User search (admin/users/search.php)
3) Click on the 'username' link of any user
4) Change the url and make the id= part equal to 0 (eg admin/users/edit.php?id=0)
You now can see information for the hidden 'root' user
5) Suspend the user
6) Logout
7) Login again and you get something like
Mahara: Site unavailable
Something in the way you're interacting with Mahara is causing an error.
Details if any, follow:
Your account has been suspended as of 2019-02-22 10:56:34.<br />The
reason for your suspension is: Bad mojo
Things to fix:
1) Not allow anyone see the the mahara 'root' user via the admin/users/edit.php page
2) Make sure systems that suspend a user, eg rejecting consent to privacy statement can't suspend 'root' user
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1817221/+subscriptions