mahara-contributors team mailing list archive

Thread
Date

[Bug 1978520] [NEW] Files are accessible publicly through thumb.php

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Kristina Hoeppner <1978520@xxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Jun 2022 03:22:33 -0000
Reply-to: Bug 1978520 <1978520@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Private security bug reported:

Files are accessible and can be enumerated by their ID via thumb.php and
a particular option.

** Affects: mahara
     Importance: Critical
     Assignee: Robert Lyon (robertl-9)
         Status: In Progress

** Affects: mahara/21.04
     Importance: Critical
         Status: Confirmed

** Affects: mahara/21.10
     Importance: Critical
         Status: Confirmed

** Affects: mahara/22.04
     Importance: Critical
         Status: Confirmed

** Affects: mahara/22.10
     Importance: Critical
     Assignee: Robert Lyon (robertl-9)
         Status: In Progress

** Information type changed from Public to Public Security

** Information type changed from Public Security to Private Security

** Also affects: mahara/22.04
   Importance: Undecided
       Status: New

** Also affects: mahara/22.10
   Importance: Undecided
     Assignee: Robert Lyon (robertl-9)
       Status: In Progress

** Also affects: mahara/21.10
   Importance: Undecided
       Status: New

** Also affects: mahara/21.04
   Importance: Undecided
       Status: New

** Changed in: mahara/22.04
       Status: New => Confirmed

** Changed in: mahara/21.10
       Status: New => Confirmed

** Changed in: mahara/21.04
       Status: New => Confirmed

** Changed in: mahara/22.10
   Importance: Undecided => Critical

** Changed in: mahara/22.04
   Importance: Undecided => Critical

** Changed in: mahara/21.10
   Importance: Undecided => Critical

** Changed in: mahara/21.04
   Importance: Undecided => Critical

** Changed in: mahara/22.10
    Milestone: None => 22.10.0

** Changed in: mahara/22.04
    Milestone: None => 22.04.2

** Changed in: mahara/21.10
    Milestone: None => 21.10.4

** Changed in: mahara/21.04
    Milestone: None => 21.04.6

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1978520

Title:
  Files are accessible publicly through thumb.php

Status in Mahara:
  In Progress
Status in Mahara 21.04 series:
  Confirmed
Status in Mahara 21.10 series:
  Confirmed
Status in Mahara 22.04 series:
  Confirmed
Status in Mahara 22.10 series:
  In Progress

Bug description:
  Files are accessible and can be enumerated by their ID via thumb.php
  and a particular option.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1978520/+subscriptions