mahara-contributors team mailing list archive

Thread
Date

[Bug 1016253] Re: Don't send plaintext RSS password back to browser

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Kristina Hoeppner <1016253@xxxxxxxxxxxxxxxxxx>
Date: Mon, 24 Nov 2014 00:17:03 -0000
Reply-to: Bug 1016253 <1016253@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-7410

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-7411

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1016253

Title:
  Don't send plaintext RSS password back to browser

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.5 series:
  Fix Released
Status in Mahara 1.6 series:
  Fix Released
Status in Mahara 1.7 series:
  Fix Released

Bug description:
  The externalfeed block should protect user credentials when
  authenticated RSS feeds are used.  The blocktype in Mahara 1.5.1
  appears to store login credentials in cleartext within the database.

  This presents an unfortunate vulnerability that could give access to
  other systems should Mahara's database be compromised.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1016253/+subscriptions

References

[Bug 1016253] [NEW] Authenticated RSS feeds should encrypt login credentials
From: Darren James Harkness, 2012-06-21