← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #25683

[Bug 1190788] Re: Can cause arbitrary SWF files to execute in the browser

  Thread PreviousDate PreviousThread Next 
** Information type changed from Private Security to Public Security

** Changed in: mahara/1.9
       Status: Confirmed => Fix Committed

** Changed in: mahara/1.8
       Status: Confirmed => Fix Committed

** Changed in: mahara/1.10
       Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1190788

Title:
  Can cause arbitrary SWF files to execute in the browser

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 1.8 series:
  Fix Committed
Status in Mahara 1.9 series:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Committed

Bug description:
  Subject:        Found Critical XSS Vulnerability on Your System

  Hello,

  I found a really critical XSS (Cross Site Scripting) vulnerability on
  mahara.org. The vulnerability works as follows:

  1) I opened the demo account on Mahara and logged in the admin account
  by using the link "http://demo.mahara.org/";.

  2) Then I clicked admin avatar picture to go to user details page.

  3) After that I clicked "edit this page" button.

  4) Then I dragged "File(s) to Download image to About me section of the page.
  5) I created a .swf file that contains ActionScript codes. I also attached that file to this email.

  6) I uploaded that XSS.swf file.

  7) When I open XSS.swf file on browser, I saw the alert message
  showing SOLVER (my nickname)

  8) Example script:
  http://demo.mahara.org/artefact/file/download.php?file=247

  By using this XSS vulnerability, an attacker can steal Mahara users'
  cookies, and their accounts. Furthermore, the attacker can redirect
  users to a harmful website that contains trojan horse, malware or a
  JavaScript downloader to get full access on the users' computers. This
  issue can get bigger by using a XSS Worm, and influence even some
  other Mahara product users.

  As a simple solution, the content of the file that is about to be
  uploaded should be checked against harmful scripts and codes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1190788/+subscriptions

References

  Thread PreviousDate PreviousThread Next