A site admin can access Mahara 'root' user and break the site
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
High
|
Robert Lyon | ||
| 17.10 |
Fix Released
|
High
|
Unassigned | ||
| 18.04 |
Fix Released
|
High
|
Unassigned | ||
| 18.10 |
Fix Released
|
High
|
Unassigned | ||
| 19.04 |
Fix Released
|
High
|
Robert Lyon | ||
Bug Description
A site admin can break the site by suspending the 'root' user
To replicate:
1) Login in as a site admin
2) Go to Administration -> Users -> User search (admin/
3) Click on the 'username' link of any user
4) Change the url and make the id= part equal to 0 (eg admin/users/
You now can see information for the hidden 'root' user
5) Suspend the user
6) Logout
7) Login again and you get something like
Mahara: Site unavailable
Something in the way you're interacting with Mahara is causing an error.
Details if any, follow:
Your account has been suspended as of 2019-02-22 10:56:34.<br />The reason for your suspension is: Bad mojo
Things to fix:
1) Not allow anyone see the the mahara 'root' user via the admin/users/
2) Make sure systems that suspend a user, eg rejecting consent to privacy statement can't suspend 'root' user
CVE References
| Kristina Hoeppner (kris-hoeppner) wrote | #1 |
| Robert Lyon (robertl-9) wrote | #2 |
| information type: | Private Security → Public Security |
Note for the forum announcement:
Disable logins for everyone when root user is suspended
Severity: Medium
Vulnerability type: Insecure permissions
An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. A site administrator can suspend the system user (root), causing all users to be locked out from the system.
Reported by Robert Lyon (Catalyst)
Bug report: https:/
CVE reference: CVE-2019-9708
Link CVE number to https:/