mahara-contributors team mailing list archive

Thread
Date

[Bug 685942] Re: Possible https to http downgrade

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Iñaki Arenaza <685942@xxxxxxxxxxxxxxxxxx>
Date: Sun, 03 Jul 2011 10:07:10 -0000
Reply-to: Bug 685942 <685942@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Ruslan,

yup, it's been fixed for 1.4_STABLE and master, but not for 1.3_STABLE
(see
http://gitorious.org/mahara/mahara/blobs/1.3_STABLE/htdocs/init.php#line194
). I thought 1.3_STABLE was still supported, am I right?

Saludos.
Iñaki.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/685942

Title:
  Possible https to http downgrade

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.2 series:
  Fix Released
Status in Mahara 1.3 series:
  Incomplete

Bug description:
  Interesting that with both, bug #646713 and bug #684190, we overlooked
  the most obvious and relatively sensitive issue.

  Even though $cfg->wwwroot might be set 'https://somemaharasite',
  depending on apache config, user may still be able to use insecure
  page for logging in by entering 'http://somemaharasite' in the web
  browser address field, then, upon logging-in, user credentials will be
  passed through insecure connection first, before sever respond with
  redirection to https secured page.

  This is valid for other pages after logging in - at any time used may
  switch back to insecure connection by typing
  'http://somemaharasite/somedir/somepage.php'.

  This can be fixed by ensuring that $_SERVER['HTTPS'] is set when
  $cfg->wwwroot = 'https://...', otherwise redirecting user to the same
  page using https.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions