** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1175446
Title: user supplied $_SERVER['HTTP_HOST'] can be used for injections Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.6 series: Fix Released Status in Mahara 1.7 series: Fix Released Bug description: http://www.skeletonscribe.net/2013/05/practical-http-host-header- attacks.html curl -H "host:cow\"onerror='alert(1)" localhost/code/mahara/htdocs/admin/ | fgrep cow on a fresh install (not installed yet, as first page hit of installed will store it in db), will show some unescaped that is used in init.php, to set wwwroot, and noreplyaddress there is also a possible injection using lib/web.php, the get_requested_host_name uses it, which is used by clean_urls, and by AccessDeniedException To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1175446/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
