Mahara

  1. Bug #1047111
  2. Comment #0

Comment 0 for bug 1047111

Revision history for this message
Melissa Draper (melissa) wrote : XXE possible in mahara

libxml_disable_entity_loader(true) is never called in mahara, which means that xml functionalities are vulnerable to http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities

can be fixed by adding libxml_disable_entity_loader(true) in init.

Reported by Mike Haworth.