Mahara

Make profile information not avaialble for public when not shared

Bug #1158625 reported by Kristina Hoeppner
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Aaron Wells
Mahara 1.8.0
1.5
Fix Released
High
Aaron Wells
Mahara 1.5.12
1.6
Fix Released
High
Aaron Wells
Mahara 1.6.7
1.7
Fix Released
High
Aaron Wells
Mahara 1.7.3

Bug Description

From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access.

In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again.

Kristina Hoeppner (kris-hoeppner)
Changed in mahara:
milestone: 1.8.0 → 1.7.0
Aaron Wells (u-aaronw)
tags: added: security
Changed in mahara:
milestone: 1.7.0 → 1.8.0
Revision history for this message
Aaron Wells (u-aaronw) wrote :

In order to avoid a username enumeration vulnerability on this, we should make sure that the message you see when trying to access a profile page you don't have access to, is the same as the message you see when trying to access a profile page that doesn't exist. This is especially true when clean urls are in place.

https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_%28OWASP-AT-002%29

Aaron Wells (u-aaronw)
tags: added: bite-sized
Revision history for this message
Aaron Wells (u-aaronw) wrote :

Used git bisect to trace this to https://bugs.launchpad.net/mahara/+bug/807275 "Restricted view for user profile". Gerrit patch https://reviews.mahara.org/#/c/448/

Although, I think the intent of that feature was that *logged-in* users should still seem some basic information about the user. I still think it's a good idea if *logged-out* users can't see anything.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

https://reviews.mahara.org/2418

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/2418
Committed: http://gitorious.org/mahara/mahara/commit/4ac8cb8fff64c4357e0075d2c6b075fcf6ee638c
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 4ac8cb8fff64c4357e0075d2c6b075fcf6ee638c
Author: Aaron Wells <email address hidden>
Date: Tue Aug 20 19:02:19 2013 +1200

For private profiles, hide all profile information from logged-out users

Bug1158625: If the user hasn't made their profile public, don't even show their pic and name
to logged-out users.

And in order to prevent enumeration attacks, show the same access denied screen to a
logged-out user, whether they hit the URL for an exising profile or whether they entered
an invalid URL.

Change-Id: Ic926fde3e04a59728868fffecc9272136fb83855

Robert Lyon (robertl-9)
Changed in mahara:
status: In Progress → Fix Committed
Aaron Wells (u-aaronw)
Changed in mahara:
milestone: 1.8rc1 → 1.8.0
Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/2571
Committed: http://gitorious.org/mahara/mahara/commit/3535ecd3e4ab8202c8a52ab478436fda68a2d671
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.5_STABLE

commit 3535ecd3e4ab8202c8a52ab478436fda68a2d671
Author: Aaron Wells <email address hidden>
Date: Tue Aug 20 19:02:19 2013 +1200

For private profiles, hide all profile information from logged-out users

Bug1158625: If the user hasn't made their profile public, don't even show their pic and name
to logged-out users.

And in order to prevent enumeration attacks, show the same access denied screen to a
logged-out user, whether they hit the URL for an exising profile or whether they entered
an invalid URL.

Change-Id: Ic926fde3e04a59728868fffecc9272136fb83855

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/2572
Committed: http://gitorious.org/mahara/mahara/commit/6490dda900d252c885c8ca201340af0fb3dc4b24
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.6_STABLE

commit 6490dda900d252c885c8ca201340af0fb3dc4b24
Author: Aaron Wells <email address hidden>
Date: Tue Aug 20 19:02:19 2013 +1200

For private profiles, hide all profile information from logged-out users

Bug1158625: If the user hasn't made their profile public, don't even show their pic and name
to logged-out users.

And in order to prevent enumeration attacks, show the same access denied screen to a
logged-out user, whether they hit the URL for an exising profile or whether they entered
an invalid URL.

Change-Id: Ic926fde3e04a59728868fffecc9272136fb83855

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/2573
Committed: http://gitorious.org/mahara/mahara/commit/fa6494a7ac8f0880dc856c9ec146e3fde24b60df
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.7_STABLE

commit fa6494a7ac8f0880dc856c9ec146e3fde24b60df
Author: Aaron Wells <email address hidden>
Date: Tue Aug 20 19:02:19 2013 +1200

For private profiles, hide all profile information from logged-out users

Bug1158625: If the user hasn't made their profile public, don't even show their pic and name
to logged-out users.

And in order to prevent enumeration attacks, show the same access denied screen to a
logged-out user, whether they hit the URL for an exising profile or whether they entered
an invalid URL.

Change-Id: Ic926fde3e04a59728868fffecc9272136fb83855

Aaron Wells (u-aaronw)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.