Reviewed: https://reviews.mahara.org/2102 Committed: http://gitorious.org/mahara/mahara/commit/f33d4cef66356d3fd96c54bde58bee983d6e61a1 Submitter: Aaron Wells (aar...@catalyst.net.nz) Branch: master
commit f33d4cef66356d3fd96c54bde58bee983d6e61a1 Author: Aaron Wells <aar...@catalyst.net.nz> Date: Wed May 1 14:16:23 2013 +1200 Documenting safe usage of simplexml_load_file() Bug1047111 Change-Id: I850603dbc1d85f4360ce227d2658e5abb51af1aa -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1047111 Title: XEE possible in mahara Status in Mahara ePortfolio: Fix Released Status in Mahara 1.4 series: Fix Released Status in Mahara 1.5 series: Fix Released Bug description: There is a security issue with the default XML parser for PHP, where ENTITY fields are loaded and substituted in text parts. This allows possible attackers to read from internal networks, or files readable by the web server user. This includes reading of the config.php file, which contains sensitive information such as the database password, and the password salt field. The fix for this was to include a call to libxml_disable_entity_loader(true) during the initialization of a page. More information can be found at the following: http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html Reported by Mike Haworth. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1047111/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp