This bug was fixed in the package mahara - 1.2.5-2ubuntu0.1
---------------
mahara (1.2.5-2ubuntu0.1) maverick-security; urgency=low
* SECURITY UPDATE: cross-site scripting vulnerability
- debian/patches/CVE-2011-0439.dpatch: upstream patch
- CVE-2011-0439
- LP: #676336
* SECURITY UPDATE: possible cross-site request forgery (deleting blogs)
- debian/patches/CVE-2011-0440.dpatch: upstream patch
- CVE-2011-0440
-- Francois Marier <[email protected]> Fri, 25 Mar 2011 16:38:51 +1300
** Changed in: mahara (Ubuntu Maverick)
Status: Fix Committed => Fix Released
** Changed in: mahara (Ubuntu Lucid)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Mahara
Committers, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/676336
Title:
Blogs get deleted without sesskey check
Status in Mahara ePortfolio:
Fix Released
Status in Mahara 1.3 series:
Fix Released
Status in “mahara” package in Ubuntu:
Fix Released
Status in “mahara” source package in Lucid:
Fix Released
Status in “mahara” source package in Maverick:
Fix Released
Status in “mahara” source package in Natty:
Fix Released
Bug description:
Permissions are checked but the sesskey is neither passed nor checked
e.g. artefact/blog/index.php?delete=123
_______________________________________________
Mailing list: https://launchpad.net/~mahara-core
Post to : [email protected]
Unsubscribe : https://launchpad.net/~mahara-core
More help : https://help.launchpad.net/ListHelp
