I've discovered a few vulnerabilities within Mahara that allow any user to view private images + blog posts of other users. Disclosure: I know nothing about Mahara and have only used it for the last 2-3 hours, please forgive me if I am wrong in my assumptions about the architecture/functionality.
#1: Upload permissions are not properly checked when creating a journal
When creating a journal entry a user can attach any arbitrary object by ID. From what I can tell every object (file, journal, picture etc) are the same object (artifact?), or at least all have a unique ID. This means that if use the file browser to select a file that you can view, then modify the ID (using Chromes developer tools or in-flight using Burp) to an ID of a folder, journal entry or image then that object will be attached to the journal entry.
Here is a screenshot of the issue: http://i.imgur.com/Lwpm808.png
In that image Picture1.png, maxresdefaults.jpg and "tok123tok123's Journal" belong to other users (and give permission errors if you attempt to view them).
#2: Object permissions and types are not correctly checked when embedding content within a page
It is possible to embed private objects belonging to other users within a page. In this screenshot http://i.imgur.com/SShOalI.png I have created a page and attached it to a collection. None of the objects in those blocks belong to the current user (and hence are un-viewable), and all are private (the journal entry to the right is unpublished).
You can also select an image file to be embedded as a HTML file (under the 'Some HTML' heading) and get the file contents. You can select a folder, but this causes a 500 error.
When editing a block and selecting an upload the page sends a instconf_artefactid_selected[ID] parameter to the server. Simply manipulating the ID in the brackets and the value will let you embed any object.
#3: Export function allows arbitrary file download
Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra.
I know these are not serious issues, but I'm sure there are other permission related issues to be found. I concentrated mainly on the journal and collection features.
Nobody seemed interested so I made it public. Its not exactly a 0day anyway.