mahara-contributors team mailing list archive

Thread
Date

[Bug 1014854] Re: HTML tags in installation folder (!)

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1014854@xxxxxxxxxxxxxxxxxx>
Date: Wed, 20 Nov 2013 04:47:14 -0000
Reply-to: Bug 1014854 <1014854@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Agreed, it's out of our scope to defend against an attacker who has
write access to Mahara's directories in the filesystem.

** Changed in: mahara
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1014854

Title:
  HTML tags in installation folder (!)

Status in Mahara ePortfolio:
  Won't Fix

Bug description:
  Reported by Emanuel Bronshtein:

  > in linux OS it possible to create folder and filenames with name
  > contain a unclosed HTML tag.
  > by creating a folder name: <img src=0 onerror=alert(1)>, and copied
  > the mahara installation folder to it.
  > JavaScript code executed by visiting main\installation page.
  > http://localhost/M/";><img src=X onerror=alert(7)>/mahara-
  > 1.5.1/htdocs/admin/
  > the HTML code (from URI) is inserted to database inside wwwroot
  > configuration, which then printed to the pages without escaping.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1014854/+subscriptions

References

[Bug 1014854] [NEW] HTML tags in installation folder (!)
From: Richard Mansfield, 2012-06-18