mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #13932
[Bug 1175446] Re: user supplied $_SERVER['HTTP_HOST'] can be used for injections
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1175446
Title:
user supplied $_SERVER['HTTP_HOST'] can be used for injections
Status in Mahara ePortfolio:
Fix Committed
Status in Mahara 1.6 series:
Fix Released
Status in Mahara 1.7 series:
Fix Released
Bug description:
http://www.skeletonscribe.net/2013/05/practical-http-host-header-
attacks.html
curl -H "host:cow\"onerror='alert(1)" localhost/code/mahara/htdocs/admin/ | fgrep cow
on a fresh install (not installed yet, as first page hit of installed will store it in db), will show some unescaped
that is used in init.php, to set wwwroot, and noreplyaddress
there is also a possible injection using lib/web.php, the
get_requested_host_name uses it, which is used by clean_urls, and by
AccessDeniedException
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1175446/+subscriptions