Where can I find the patches? We are looking at get this fixed on the individual files instead of doing a whole system upgrade.
Thanks. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/1061980 Title: XSS using user uploaded SVG files Status in Mahara ePortfolio: In Progress Status in Mahara 1.4 series: Fix Released Status in Mahara 1.5 series: Fix Released Bug description: I have come across a serious security issue on Mahara version 1.5 which can allow an attacker to store malicious script on latest version of Mahara. *Testing Environent:* * Operating System:* Windows 7 (32-bit) *Web Server: *WAMP v2.2 *Browser:* Mozilla Firefox v15.0.1 *Vulnerable Path URL Location:* http://localhost/mahara/artefact/file/ *Description*: I uploaded a SVG file with malicious payload, Since there was no validation of the malicious content, I was successful to upload a file with malicous script. Kindly find the screenshots as an attachment along with this mail. I request you to kindly implement proper sanitization for handling file contents. Thank You. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1061980/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
