Require re-entering RSS feed password when you change the URL
Bug #1172096 reported by
Aaron Wells
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Unassigned | ||
1.5 |
Fix Released
|
Medium
|
Unassigned | ||
1.6 |
Fix Released
|
Medium
|
Unassigned | ||
1.7 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
If we implement a fix for https:/
Attack:
1a. Masquerade as the user
1b. OR get the user to give you a copy of the Page containing the RSS feed block
2. Enter the settings for the RSS feed block (or its copy)
3. Change the URL of the RSS feed to point at your own server
Result:
When Mahara next refreshes the RSS feed, it will send the plaintext username and password to your server, where you can easily capture it.
Fix:
Require a user to re-enter the password when they change the URL
CVE References
summary: |
- Require re-entering RSS feed username and password when you change the - URL + Require re-entering RSS feed password when you change the URL |
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Triaged → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I'm only tagging this one "medium" because the attack is only possible if you have masquerade access, or if the user gives you a copy of the Page.