mahara-contributors team mailing list archive

[Aaron Wells <1558361@xxxxxxxxxxxxxxxxxx>]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1558361

Title:
  XSS vulnerability due to window.opener (target="_blank" and
  window.open())

Status in Mahara:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Released
Status in Mahara 15.04 series:
  Fix Released
Status in Mahara 15.10 series:
  Fix Released

Bug description:
  The Catalyst security team has pointed out to us that the practice of
  opening new browser windows via "target" links or the Javascript
  window.open() command. The problem is that in these cases, the
  Javascript and HTML standards require that the newly opened window/tab
  have access to the original window's "Window" object, via
  "window.opener". This allows the new window to control the navigation
  of the original window, and possibly access other DOM objects as well,
  depending on security policies.

  The really bad part, though, is that the new window has access to
  window.opener, and navigation control via it, even if the new window
  is on a different domain than the original window. And this
  window.opener object remains there, even if the user goes to a new
  page or site in the new window, or the old window!

  This allows for all kinds of cross-site-scripting attacks. So, we need
  to prevent this behavior in Mahara.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1558361/+subscriptions