Mahara

Need to kill web service authentication session at end of process

Bug #1930469 reported by Robert Lyon
254
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Unassigned
Mahara 21.10.0
20.04
Fix Released
High
Unassigned
Mahara 20.04.5
20.10
Fix Released
High
Unassigned
Mahara 20.10.3
21.04
Fix Released
High
Unassigned
Mahara 21.04.2

Bug Description

Currently when a token based websesrvice is called it authenticates the owner of the token on the Mahara end so that any functions called by the service can only be executed if the authenticated token owner can run those functions.

One of the problems with the current setup is we don't then kill the session of this token owner when the webservice call is completed.

This means if one hits a site with a crafted URL containing a valid token but no webservice function they will get an error message page, but if they then go to the home page of the site they will find they are logged in as the token owner.

In the webservice_base_server class there is the run() method that goes through the steps to do a webservice call and the last part is calling $this->session_cleanup();

And in that method is nothing to actually handle the logging out of that session

CVE References

Revision history for this message
Robert Lyon (robertl-9) wrote :

https://reviews.mahara.org/#/c/11814/

Kristina Hoeppner (kris-hoeppner)
Changed in mahara:
status: Confirmed → In Progress
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Vulnerability type: Insecure permissions
Attack type: Remote
Impact: Information disclosure, escalation of privileges

Affected components: A token-based web service authenticates the owner of the token so that functions called by the web service can only be executed if the authenticated token owner can run those functions. However, the session of this token is not ended when the web service call throws an error. This means if you try to access a site with a crafted URL containing a valid token but no web service function, there will be an error message page, and if you then go to the homepage of the site, you will be logged in as the token owner.

Suggested description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure at minimum and often escalation of privileges.

Reported by: Catalyst IT
Bug report: https://bugs.launchpad.net/mahara/+bug/1930469
CVE reference: CVE-2021-40849

summary: - Need to kill webservice authentication session at end of process
+ Need to kill web service authentication session at end of process
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

The above is for the security forum post.

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12115
Committed: https://git.mahara.org/mahara/mahara/commit/9e405b25c718bbfbb03e4d30b50cc5e71b34da48
Submitter: Robert Lyon (<email address hidden>)
Branch: main

commit 9e405b25c718bbfbb03e4d30b50cc5e71b34da48
Author: Robert Lyon <email address hidden>
Date: Wed Jun 2 14:26:55 2021 +1200

Security Bug 1930469: Forcing the authenticated user to be logged out

If there is an error in webservice

Change-Id: Ic827da3a385aa14f0a342aaf67b509efac154ad4
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "21.10_DEV" branch: https://reviews.mahara.org/12186

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12186
Committed: https://git.mahara.org/mahara/mahara/commit/e85a2fedbbd3c825dc73cf903e641b9a117bd9e4
Submitter: Robert Lyon (<email address hidden>)
Branch: 21.10_DEV

commit e85a2fedbbd3c825dc73cf903e641b9a117bd9e4
Author: Robert Lyon <email address hidden>
Date: Wed Jun 2 14:26:55 2021 +1200

Security Bug 1930469: Forcing the authenticated user to be logged out

If there is an error in webservice

Change-Id: Ic827da3a385aa14f0a342aaf67b509efac154ad4
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 9e405b25c718bbfbb03e4d30b50cc5e71b34da48)

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "21.04_STABLE" branch: https://reviews.mahara.org/12187

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "20.10_STABLE" branch: https://reviews.mahara.org/12188

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "20.04_STABLE" branch: https://reviews.mahara.org/12189

Kristina Hoeppner (kris-hoeppner)
no longer affects: mahara/21.10
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12189
Committed: https://git.mahara.org/mahara/mahara/commit/620cd1f0180c378a76d8f5b4a647b533eb235aa5
Submitter: Robert Lyon (<email address hidden>)
Branch: 20.04_STABLE

commit 620cd1f0180c378a76d8f5b4a647b533eb235aa5
Author: Robert Lyon <email address hidden>
Date: Wed Jun 2 14:26:55 2021 +1200

Security Bug 1930469: Forcing the authenticated user to be logged out

If there is an error in webservice

Change-Id: Ic827da3a385aa14f0a342aaf67b509efac154ad4
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 9e405b25c718bbfbb03e4d30b50cc5e71b34da48)
(cherry picked from commit e85a2fedbbd3c825dc73cf903e641b9a117bd9e4)

Robert Lyon (robertl-9)
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12187
Committed: https://git.mahara.org/mahara/mahara/commit/74f38088a23eaab04af6ac3019e1372582f49e15
Submitter: Gold (<email address hidden>)
Branch: 21.04_STABLE

commit 74f38088a23eaab04af6ac3019e1372582f49e15
Author: Robert Lyon <email address hidden>
Date: Wed Jun 2 14:26:55 2021 +1200

Security Bug 1930469: Forcing the authenticated user to be logged out

If there is an error in webservice

Change-Id: Ic827da3a385aa14f0a342aaf67b509efac154ad4
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 9e405b25c718bbfbb03e4d30b50cc5e71b34da48)
(cherry picked from commit e85a2fedbbd3c825dc73cf903e641b9a117bd9e4)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12188
Committed: https://git.mahara.org/mahara/mahara/commit/2209dbdaf1754347884f7b4bfac055b666eec368
Submitter: Robert Lyon (<email address hidden>)
Branch: 20.10_STABLE

commit 2209dbdaf1754347884f7b4bfac055b666eec368
Author: Robert Lyon <email address hidden>
Date: Wed Jun 2 14:26:55 2021 +1200

Security Bug 1930469: Forcing the authenticated user to be logged out

If there is an error in webservice

Change-Id: Ic827da3a385aa14f0a342aaf67b509efac154ad4
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 9e405b25c718bbfbb03e4d30b50cc5e71b34da48)
(cherry picked from commit e85a2fedbbd3c825dc73cf903e641b9a117bd9e4)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.