Information disclosure in my friends pagination script

Bug #772140 reported by Richard Mansfield
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Richard Mansfield
Fix Released
Richard Mansfield

Bug Description

There are three problems with this script:
1. It takes a block id, but doesn't check that the logged-in user is allowed to see the view that the block appears in.
2. It takes a user id, and doesn't check that the user id matches the id of the view owner.
3. It returns a list of friends with too much information; it should only return the html to replace the block content.

Does not affect Mahara 1.2 (there was no friends block pagination).

CVE References

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
visibility: private → public
Changed in mahara:
status: In Progress → Fix Committed
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.