2012-09-07 00:24:17 |
Melissa Draper |
bug |
|
|
added bug |
2012-09-07 00:46:58 |
Melissa Draper |
summary |
XXE possible in mahara |
XEE possible in mahara |
|
2012-09-07 02:22:12 |
Hugh Davenport |
attachment added |
|
xmlsecbug-12.patch https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3297223/+files/xmlsecbug-12.patch |
|
2012-09-07 02:22:24 |
Hugh Davenport |
attachment added |
|
xmlsecbug-13.patch https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3297224/+files/xmlsecbug-13.patch |
|
2012-09-07 02:22:35 |
Hugh Davenport |
attachment added |
|
xmlsecbug-14.patch https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3297225/+files/xmlsecbug-14.patch |
|
2012-09-07 02:23:13 |
Hugh Davenport |
attachment added |
|
xmlsecbug-15.patch https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3297226/+files/xmlsecbug-15.patch |
|
2012-09-07 02:23:25 |
Hugh Davenport |
attachment added |
|
xmlsecbug-16.patch https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3297227/+files/xmlsecbug-16.patch |
|
2012-09-07 02:23:36 |
Hugh Davenport |
attachment added |
|
xmlsecbug-master.patch https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3297228/+files/xmlsecbug-master.patch |
|
2012-09-07 03:28:35 |
Melissa Draper |
bug |
|
|
added subscriber Bug Hunter |
2012-09-14 01:39:23 |
Melissa Draper |
nominated for series |
|
mahara/1.4 |
|
2012-09-14 01:39:23 |
Melissa Draper |
bug task added |
|
mahara/1.4 |
|
2012-09-14 01:39:23 |
Melissa Draper |
nominated for series |
|
mahara/1.5 |
|
2012-09-14 01:39:23 |
Melissa Draper |
bug task added |
|
mahara/1.5 |
|
2012-09-14 01:39:50 |
Melissa Draper |
mahara/1.4: status |
New |
Fix Released |
|
2012-09-14 01:39:54 |
Melissa Draper |
mahara/1.5: status |
New |
Fix Released |
|
2012-09-14 01:40:15 |
Melissa Draper |
mahara/1.4: assignee |
|
Hugh Davenport (hugh-catalyst) |
|
2012-09-14 01:40:32 |
Melissa Draper |
mahara/1.5: assignee |
|
Hugh Davenport (hugh-catalyst) |
|
2012-09-14 01:40:42 |
Melissa Draper |
mahara/1.4: milestone |
|
1.4.4 |
|
2012-09-14 01:40:45 |
Melissa Draper |
mahara/1.5: milestone |
|
1.5.3 |
|
2012-09-14 01:43:48 |
Melissa Draper |
visibility |
private |
public |
|
2012-09-14 01:43:53 |
Melissa Draper |
mahara/1.4: importance |
Undecided |
Critical |
|
2012-09-14 01:43:55 |
Melissa Draper |
mahara/1.5: importance |
Undecided |
Critical |
|
2012-09-14 01:48:36 |
Melissa Draper |
attachment added |
|
xmlsecbug-13.patch https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3313736/+files/xmlsecbug-13.patch |
|
2012-09-14 01:49:59 |
Melissa Draper |
attachment added |
|
xmlsecbug-12.patch https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3313737/+files/xmlsecbug-12.patch |
|
2012-09-14 01:58:23 |
Melissa Draper |
description |
libxml_disable_entity_loader(true) is never called in mahara, which means that xml functionalities are vulnerable to http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities
can be fixed by adding libxml_disable_entity_loader(true) in init.
Reported by Mike Haworth. |
There is a security issue with the default XML parser for PHP, where ENTITY fields are
loaded and substituted in text parts.
This allows possible attackers to read from internal networks, or files readable by the
web server user.
This includes reading of the config.php file, which contains sensitive information such
as the database password, and the password salt field.
The fix for this was to include a call to libxml_disable_entity_loader(true) during the
initialization of a page.
More information can be found at the following:
http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities
http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
Reported by Mike Haworth. |
|
2012-09-14 03:15:07 |
Melissa Draper |
mahara: status |
Confirmed |
Fix Committed |
|
2012-11-08 02:49:38 |
Hugh Davenport |
mahara: status |
Fix Committed |
Fix Released |
|