mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #05170
[Bug 685942] Re: Possible https to http downgrade
Hi Iñaki,
1.3_STABLE is supported for security fixes only. However, given that
this "cron not running" bug is a regression caused by a security update,
we should fix it in 1.3.7.
Bug #794490 is the bug that tracks this problem (and that's what change
I991f51d2cc9272e5f33e5f4b7486d3565924d8c7 should have been pointing to).
I have reopened it with a milestone of 1.3.7.
Cheers,
Francois
** Changed in: mahara/1.3
Status: Incomplete => Fix Released
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/685942
Title:
Possible https to http downgrade
Status in Mahara ePortfolio:
Fix Released
Status in Mahara 1.2 series:
Fix Released
Status in Mahara 1.3 series:
Fix Released
Bug description:
Interesting that with both, bug #646713 and bug #684190, we overlooked
the most obvious and relatively sensitive issue.
Even though $cfg->wwwroot might be set 'https://somemaharasite',
depending on apache config, user may still be able to use insecure
page for logging in by entering 'http://somemaharasite' in the web
browser address field, then, upon logging-in, user credentials will be
passed through insecure connection first, before sever respond with
redirection to https secured page.
This is valid for other pages after logging in - at any time used may
switch back to insecure connection by typing
'http://somemaharasite/somedir/somepage.php'.
This can be fixed by ensuring that $_SERVER['HTTPS'] is set when
$cfg->wwwroot = 'https://...', otherwise redirecting user to the same
page using https.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions