mahara-contributors team mailing list archive

Thread
Date

[Bug 1014854] Re: HTML tags in installation folder (!)

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date: Wed, 20 Nov 2013 00:31:27 -0000
Reply-to: Bug 1014854 <1014854@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This sounds like a problem only the site admin setting up the site can
achieve - so therefore a self sabotaging problem. If they can access the
server and make a forlder and copy files to it then they can most likely
do more damage than than what is mentioned above.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1014854

Title:
  HTML tags in installation folder (!)

Status in Mahara ePortfolio:
  Triaged

Bug description:
  Reported by Emanuel Bronshtein:

  > in linux OS it possible to create folder and filenames with name
  > contain a unclosed HTML tag.
  > by creating a folder name: <img src=0 onerror=alert(1)>, and copied
  > the mahara installation folder to it.
  > JavaScript code executed by visiting main\installation page.
  > http://localhost/M/";><img src=X onerror=alert(7)>/mahara-
  > 1.5.1/htdocs/admin/
  > the HTML code (from URI) is inserted to database inside wwwroot
  > configuration, which then printed to the pages without escaping.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1014854/+subscriptions

References

[Bug 1014854] [NEW] HTML tags in installation folder (!)
From: Richard Mansfield, 2012-06-18