Possible https to http downgrade
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Ruslan Kabalin | ||
1.2 |
Fix Released
|
High
|
Ruslan Kabalin | ||
1.3 |
Fix Released
|
High
|
Ruslan Kabalin |
Bug Description
Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue.
Even though $cfg->wwwroot might be set 'https:/
This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://
This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg->wwwroot = 'https:/
CVE References
summary: |
- If wwwroot is defined to use https, it is not the fact that it is being - used. + Possible https to http downgrade |
Changed in mahara: | |
status: | Confirmed → In Progress |
Changed in mahara: | |
assignee: | nobody → Ruslan Kabalin (ruslan-kabalin) |
visibility: | private → public |
Changed in mahara: | |
status: | In Progress → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
milestone: | 1.4.0 → none |
Another thing that is worth doing as far as the server configuration is concerned is to enable HSTS:
http:// en.wikipedia. org/wiki/ HTTP_Strict_ Transport_ Security www.debian- administration. org/article/ 662/Enabling_ HTTP_Strict_ Transport_ Security_ on_debian_ servers
http://