mahara-packaging team mailing list archive

Thread
Date

[Bug 676336] Re: Blogs get deleted without sesskey check

To: mahara-packaging@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <676336@xxxxxxxxxxxxxxxxxx>
Date: Fri, 08 Apr 2011 22:03:56 -0000
Reply-to: Bug 676336 <676336@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package mahara - 1.2.4-1ubuntu0.2

---------------
mahara (1.2.4-1ubuntu0.2) lucid-security; urgency=low

  * SECURITY UPDATE: cross-site scripting vulnerability
    - debian/patches/CVE-2011-0439.dpatch: upstream patch
    - CVE-2011-0439
    - LP: #676336

  * SECURITY UPDATE: possible cross-site request forgery (deleting blogs)
    - debian/patches/CVE-2011-0440.dpatch: upstream patch
    - CVE-2011-0440
 -- Francois Marier <francois@xxxxxxxxxx>   Fri, 18 Mar 2011 15:51:03 +1300

-- 
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/676336

Title:
  Blogs get deleted without sesskey check

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.3 series:
  Fix Released
Status in “mahara” package in Ubuntu:
  Fix Released
Status in “mahara” source package in Lucid:
  Fix Released
Status in “mahara” source package in Maverick:
  Fix Released
Status in “mahara” source package in Natty:
  Fix Released

Bug description:
  Permissions are checked but the sesskey is neither passed nor checked
  e.g. artefact/blog/index.php?delete=123