We have investigated a serious security bug in Mahara 1.5.x Series which
allows to upload virus infected file. This loophole/bug allows to upload
the infected file without scanning it and from Mahara user interface
this gives an impression that the file was scanned successfully.
The issue is
Attached the uploadmanager.php which we used for debugging.
PHP debuggging without fix 2 files uploaded
In the Loop isset($inputindex) :
$tmpfile: NULL
In the Loop is_array($file) is_uploaded_file($tmpname)
$fullpath: array(2) { [0]= string(14) /tmp/phpDdqaTc [1]= string(14)
/tmp/phpM4aRv1 }
** Information type changed from Public to Private Security
** Information type changed from Private Security to Public Security
** Information type changed from Public Security to Private Security
--
You received this bug notification because you are a member of Mahara
Contributors, which is
Hi Kristina,
I have attached one for your reference. Sorry, it didn't occur to me
earlier.
** Attachment added: image.jpg
https://bugs.launchpad.net/mahara/+bug/1088096/+attachment/3459527/+files/image.jpg
--
You received this bug notification because you are a member of Mahara
OK, that is great. Will try it out. Thanks a lot.
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1087900
Title:
Restrict username change if user accounts are manually created
Status in
Public bug reported:
Version: 1.6.3, master
Platform: all
Browser: all
Hardcoded 'amp;' after sanitisation becomes 'amp;amp;'.
All url passed to build_pagination need to be fixed.
Regression caused by bug #1079498
Related to the bug #1089282
** Affects: mahara
Importance: High
master: https://reviews.mahara.org/1918
1.6: https://reviews.mahara.org/#/c/1919
1.5: https://reviews.mahara.org/#/c/1920
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1090203
Title:
Double
7 matches
Mail list logo
