XEE possible in mahara
Bug #1047111 reported by
Melissa Draper
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Critical
|
Hugh Davenport | ||
1.4 |
Fix Released
|
Critical
|
Hugh Davenport | ||
1.5 |
Fix Released
|
Critical
|
Hugh Davenport |
Bug Description
There is a security issue with the default XML parser for PHP, where ENTITY fields are
loaded and substituted in text parts.
This allows possible attackers to read from internal networks, or files readable by the
web server user.
This includes reading of the config.php file, which contains sensitive information such
as the database password, and the password salt field.
The fix for this was to include a call to libxml_
initialization of a page.
More information can be found at the following:
http://
http://
Reported by Mike Haworth.
summary: |
- XXE possible in mahara + XEE possible in mahara |
description: | updated |
Changed in mahara: | |
status: | Confirmed → Fix Committed |
To post a comment you must log in.
note that this won't change the default block title if it contains secure content in it, only block content