** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-7413
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1172096 Title: Require re-entering RSS feed password when you change the URL Status in Mahara ePortfolio: Fix Released Status in Mahara 1.5 series: Fix Released Status in Mahara 1.6 series: Fix Released Status in Mahara 1.7 series: Fix Released Bug description: If we implement a fix for https://bugs.launchpad.net/mahara/+bug/1016253 (encrypt RSS feed usernames & passwords) there's still a potential attack vector in the URL to the RSS feed. Attack: 1a. Masquerade as the user 1b. OR get the user to give you a copy of the Page containing the RSS feed block 2. Enter the settings for the RSS feed block (or its copy) 3. Change the URL of the RSS feed to point at your own server Result: When Mahara next refreshes the RSS feed, it will send the plaintext username and password to your server, where you can easily capture it. Fix: Require a user to re-enter the password when they change the URL To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1172096/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
