Make profile information not avaialble for public when not shared
Bug #1158625 reported by
Kristina Hoeppner
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Aaron Wells | ||
1.5 |
Fix Released
|
High
|
Aaron Wells | ||
1.6 |
Fix Released
|
High
|
Aaron Wells | ||
1.7 |
Fix Released
|
High
|
Aaron Wells |
Bug Description
From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access.
In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again.
Changed in mahara: | |
milestone: | 1.8.0 → 1.7.0 |
tags: | added: security |
Changed in mahara: | |
milestone: | 1.7.0 → 1.8.0 |
tags: | added: bite-sized |
Changed in mahara: | |
status: | In Progress → Fix Committed |
Changed in mahara: | |
milestone: | 1.8rc1 → 1.8.0 |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
In order to avoid a username enumeration vulnerability on this, we should make sure that the message you see when trying to access a profile page you don't have access to, is the same as the message you see when trying to access a profile page that doesn't exist. This is especially true when clean urls are in place.
https:/ /www.owasp. org/index. php/Testing_ for_User_ Enumeration_ and_Guessable_ User_Account_ %28OWASP- AT-002% 29