Reviewed: https://reviews.mahara.org/4255 Committed: http://gitorious.org/mahara/mahara/commit/f8a6c8aa14de3b13b07b8dfe3b2068031afe204e Submitter: Robert Lyon ([email protected]) Branch: 1.10_STABLE
commit f8a6c8aa14de3b13b07b8dfe3b2068031afe204e Author: Son Nguyen <[email protected]> Date: Mon Jan 5 12:03:34 2015 +1300 Display cleaned content of XML file. Bug 1404117 Change-Id: I0dffc63f0ea10409c9ae18b9194a13a2287e0a7c Signed-off-by: Son Nguyen <[email protected]> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1404117 Title: XSS via uploaded XML Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Committed Status in Mahara 1.8 series: Fix Committed Status in Mahara 1.9 series: Fix Committed Status in Mahara 15.04 series: Fix Committed Bug description: Reported by Roman Mironov Dear Sir/Madam, I have found a security vulnerability and would like to disclose it to you. An attacker can use this vulnerability to initiate stored Cross-Site scripting attacks on authenticated users. Bug Description: It is possible to upload .xml files with malicious code and then share them with users. As proof of concept it was possible to share a file between accounts that redirects the user to google.com. In order to reproduce this proof of concept please follow these steps: Preconditions: 1) Ensure you have 2 accounts (user A and user B) that have access to each others Journal entries. 2) Create an .xml file that has the following line of code: <script xmlns="http://www.w3.org/1999/xhtml";>document.location='http://google.com';</script> Steps to Reproduce: 1) Log-in as user A. 2) Navigate to /artefact/internal/index.php and select Journal on the Navigation block. 3) Press the 'New Entry' button. 4) Enter any Title and Entry text. 5) Add the previously created .xml file as an attachment and press 'Save Entry'. 6) Log-in as user B. 7) Navigate to user A profile page. 8) Find the previously created Journal entry and press the 'Download' button next to the .xml file name. 9) Observe that you are redirected to google. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1404117/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
