Hi Shen, If you would prefer using git to patch your code, see the latest commits on the branches 1.4_STABLE, 1.5_STABLE, 1.6_STABLE and master (1.6 and master may not be the latest patches as are in current development).
Cheers, Hugh -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/1061980 Title: XSS using user uploaded SVG files Status in Mahara ePortfolio: In Progress Status in Mahara 1.4 series: Fix Released Status in Mahara 1.5 series: Fix Released Bug description: I have come across a serious security issue on Mahara version 1.5 which can allow an attacker to store malicious script on latest version of Mahara. *Testing Environent:* * Operating System:* Windows 7 (32-bit) *Web Server: *WAMP v2.2 *Browser:* Mozilla Firefox v15.0.1 *Vulnerable Path URL Location:* http://localhost/mahara/artefact/file/ *Description*: I uploaded a SVG file with malicious payload, Since there was no validation of the malicious content, I was successful to upload a file with malicous script. Kindly find the screenshots as an attachment along with this mail. I request you to kindly implement proper sanitization for handling file contents. Thank You. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1061980/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
