Information disclosure in my friends pagination script
Bug #772140 reported by
Richard Mansfield
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
High
|
Richard Mansfield | ||
| 1.3 |
Fix Released
|
High
|
Richard Mansfield | ||
Bug Description
There are three problems with this script:
1. It takes a block id, but doesn't check that the logged-in user is allowed to see the view that the block appears in.
2. It takes a user id, and doesn't check that the user id matches the id of the view owner.
3. It returns a list of friends with too much information; it should only return the html to replace the block content.
Does not affect Mahara 1.2 (there was no friends block pagination).
CVE References
Revision history for this message
| Richard Mansfield (richard-mansfield) wrote | #1 |
| visibility: | private → public |
| Changed in mahara: | |
| status: | In Progress → Fix Committed |
| Changed in mahara: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
