Information disclosure in my friends pagination script

Bug #772140 reported by Richard Mansfield on 2011-04-28
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Richard Mansfield
1.3
High
Richard Mansfield

Bug Description

There are three problems with this script:
1. It takes a block id, but doesn't check that the logged-in user is allowed to see the view that the block appears in.
2. It takes a user id, and doesn't check that the user id matches the id of the view owner.
3. It returns a list of friends with too much information; it should only return the html to replace the block content.

Does not affect Mahara 1.2 (there was no friends block pagination).

CVE References

visibility: private → public
Changed in mahara:
status: In Progress → Fix Committed
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers