** Changed in: mahara
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/685942
Title:
Possible https to http downgrade
Status in Mahara ePortfolio:
Fix Committed
Status in Mahara 1.2 series:
Fix Released
Status in Mahara 1.3 series:
Fix Released
Bug description:
Interesting that with both, bug #646713 and bug #684190, we overlooked
the most obvious and relatively sensitive issue.
Even though $cfg->wwwroot might be set 'https://somemaharasite',
depending on apache config, user may still be able to use insecure
page for logging in by entering 'http://somemaharasite' in the web
browser address field, then, upon logging-in, user credentials will be
passed through insecure connection first, before sever respond with
redirection to https secured page.
This is valid for other pages after logging in - at any time used may
switch back to insecure connection by typing
'http://somemaharasite/somedir/somepage.php'.
This can be fixed by ensuring that $_SERVER['HTTPS'] is set when
$cfg->wwwroot = 'https://...', otherwise redirecting user to the same
page using https.
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
