Mahara needing the HTTP Strict Transport Security (HSTS) header when site is https

Bug #1734767 reported by Robert Lyon on 2017-11-27
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Unassigned
16.10
High
Unassigned
17.04
High
Unassigned
17.10
High
Unassigned
18.04
High
Unassigned

Bug Description

If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

CVE References

Fix at https://reviews.mahara.org/#/c/8312/

Reported by Kirti AR.

summary: - Mahara needing the Content Security Policy (CSP) to define what is/isn't
- allowed
+ Mahara needing the HTTP Strict Transport Security (HSTS) header when
+ site is https
description: updated
Changed in mahara:
status: Confirmed → In Progress
Robert Lyon (robertl-9) on 2018-01-16
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers