user supplied $_SERVER['HTTP_HOST'] can be used for injections
Bug #1175446 reported by
Hugh Davenport
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Low
|
Aaron Wells | ||
1.6 |
Fix Released
|
Low
|
Aaron Wells | ||
1.7 |
Fix Released
|
Low
|
Aaron Wells | ||
mahara (Debian) |
Fix Released
|
Unknown
|
Bug Description
http://
curl -H "host:cow\
on a fresh install (not installed yet, as first page hit of installed will store it in db), will show some unescaped
that is used in init.php, to set wwwroot, and noreplyaddress
there is also a possible injection using lib/web.php, the get_requested_
CVE References
Changed in mahara: | |
importance: | Undecided → Low |
Changed in mahara: | |
milestone: | none → 1.8.0rc1 |
status: | In Progress → Fix Committed |
Changed in mahara: | |
milestone: | 1.8rc1 → 1.8.0 |
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Changed in mahara (Debian): | |
status: | Unknown → Confirmed |
Changed in mahara (Debian): | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
also, according to http:// www.ietf. org/rfc/ rfc2616. txt s 5.2, "If Request-URI is an absoluteURI, the host is part of the Request-URI. Any Host header field value in the request MUST be ignored." stackoverflow. com/a/2297421
see http://