← Back to team overview

mahara-contributors team mailing list archive

[Bug 685942] Re: Possible https to http downgrade

 

Hi Iñaki,

1.3_STABLE is supported for security fixes only. However, given that
this "cron not running" bug is a regression caused by a security update,
we should fix it in 1.3.7.

Bug #794490 is the bug that tracks this problem (and that's what change
I991f51d2cc9272e5f33e5f4b7486d3565924d8c7 should have been pointing to).
I have reopened it with a milestone of 1.3.7.

Cheers,
Francois

** Changed in: mahara/1.3
       Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/685942

Title:
  Possible https to http downgrade

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.2 series:
  Fix Released
Status in Mahara 1.3 series:
  Fix Released

Bug description:
  Interesting that with both, bug #646713 and bug #684190, we overlooked
  the most obvious and relatively sensitive issue.

  Even though $cfg->wwwroot might be set 'https://somemaharasite',
  depending on apache config, user may still be able to use insecure
  page for logging in by entering 'http://somemaharasite' in the web
  browser address field, then, upon logging-in, user credentials will be
  passed through insecure connection first, before sever respond with
  redirection to https secured page.

  This is valid for other pages after logging in - at any time used may
  switch back to insecure connection by typing
  'http://somemaharasite/somedir/somepage.php'.

  This can be fixed by ensuring that $_SERVER['HTTPS'] is set when
  $cfg->wwwroot = 'https://...', otherwise redirecting user to the same
  page using https.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions