Can attach other users' Folders to your Image Gallery block
Bug #1236636 reported by
Aaron Wells
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Aaron Wells | ||
1.5 |
Fix Released
|
High
|
Son Nguyen | ||
1.6 |
Fix Released
|
High
|
Son Nguyen | ||
1.7 |
Fix Released
|
High
|
Son Nguyen |
Bug Description
Here's one we missed in Bug 1211758. You can manipulate the HTTP request data when selecting the Folder for an Image Gallery (aka "slideshow") block, to attach other users' folders.
Because you lack permission to view the images, you wind up with a slideshow of "broken image" placeholders. But as was mentioned in 1211758, you can still access the images by exploiting the lack of verification when you export.
I tested the Folder block, and was not able to replicate this weakness there. So it appears to be limited to Image Gallery.
Changed in mahara: | |
status: | Confirmed → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
information type: | Private Security → Public Security |
To post a comment you must log in.
https:/ /reviews. mahara. org/2584