1. 29 Oct, 2012 1 commit
  2. 19 Oct, 2012 1 commit
  3. 18 Oct, 2012 3 commits
  4. 17 Oct, 2012 1 commit
  5. 16 Oct, 2012 1 commit
    • Hugh Davenport's avatar
      Fix Leap2A import from Moodle · 9748c636
      Hugh Davenport authored
      
      
      Related to bug #1047111
      
      That bug fixed the XXE attack by setting the following to true
       libxml_disable_entity_loader
      
      This caused issues with the leap2a importer used by mnet, which
      used the simplexml_load to load the xml which relies on file
      based remote entities. For this situation, a the following flag
      is used, which stops network based XXE attacks
       LIBXML_NONET
      
      Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      9748c636
  6. 15 Oct, 2012 1 commit
  7. 10 Oct, 2012 9 commits
    • Hugh Davenport's avatar
      Escape pieform errors displayed to users · c3fb9200
      Hugh Davenport authored
      
      
      Bug #1063480
      CVE-2012-2243
      
      If a user modifies a form in such as way that an error
      is caused based on their input there is a possible XSS
      avenue.
      
      This was displayed in the user/group CSV uploads, with
      a malicious script in the header which causes a CSV parsing
      error and was then passed back to the user verbatim.
      
      This patch escapes all error messages in the pieform error
      output.
      
      Change-Id: I136546266115faa92b727317d6539518d73aea55
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      c3fb9200
    • Hugh Davenport's avatar
      Escape user uploaded SVG files · 52e35d9d
      Hugh Davenport authored
      
      
      Bug #1061980
      CVE-2012-2247
      
      Before this patch, if a user uploaded HTML or XML files
      then tried to download them, or linked other users to download
      them, they would be presented with an escaped version along
      with a link to download the original.
      
      Unfortunately, an SVG file can possibly contain unsecure content,
      such as javascript, that would be run on the victims browser.
      
      This patch adds SVG files (image/svg+xml) to the list of files
      to not display by default.
      
      Change-Id: I56e7c9d2a7d8de03b5b3be31f0ac44198547ea09
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      52e35d9d
    • Hugh Davenport's avatar
      Fix Click-Jacking attack on account deletion page · b480b81a
      Hugh Davenport authored
      
      
      This attack has been mitigated by adding a HTTP header
      of X-Frame-Options to every page in Mahara.
      
      Bug #1057240
      CVE-2012-2246
      
      Change-Id: Ia15bb43c83054ffa5540d71fcc932266b92d288f
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      b480b81a
    • Hugh Davenport's avatar
      Fix up old file permissions to remove executable · f964a327
      Hugh Davenport authored
      
      
      Bug #1057238
      CVE-2012-2244
      
      In previous versions of mahara, all the user uploaded files
      had the executable bit set. This patch runs an upgrade script
      to remove this executable bit.
      
      Change-Id: If4a3f5876f34bd2d38ff9edcd96b234271c2d1f6
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      f964a327
    • Hugh Davenport's avatar
      Escape user uploaded XHTML files · 26c5cf07
      Hugh Davenport authored
      
      
      Bug #1055232
      CVE-2012-2243
      
      Before this patch, if a user uploaded HTML or XML files
      then tried to download them, or linked other users to download
      them, they would be presented with an escaped version along
      with a link to download the original.
      
      This did not include XHTML files, which can cause the same
      security issues as HTML or XML files. This patch includes the
      XHTML mimetype of application/xhtml+xml in the test of which
      files to escape.
      
      Change-Id: Iffb8308fdb56a173fd4af2bbda800999dd11fea3
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      26c5cf07
    • Hugh Davenport's avatar
      Fix saved file permissions · e85c165f
      Hugh Davenport authored
      
      
      Bug #1057238
      CVE-2012-2244
      
      Currently, files that are saved by Mahara use the
      directorypermissions config option, which defaults to
      0700, which allows execution.
      
      This allows users to potentially upload files with
      executable bits set, and if they have control of the
      config options pathtoclam, pathtozip, or pathtounzip
      then they could run this command when one of those
      commands are invocated.
      
      This patch bitwise-AND's the directory permissions
      config with 0666, which removes any executable bit
      and sets the result as a new config option
      filepermissions.
      
      A change the upload code to use this new option is made
      
      Change-Id: I088d9873de7797d5a9aefc2401301f8b855ed592
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      e85c165f
    • Hugh Davenport's avatar
      Remove clamav from site admin options · 2de4e22a
      Hugh Davenport authored
      
      
      Bug #1057238
      CVE-2012-2244
      
      When a site administrator can manipulate the path for the
      clamav scanner, they could produce either a reverse shell,
      or allow any user to execute arbitrary remote commands by
      setting it to an uploaded reverse shell, or to /bin/bash
      respectively.
      
      Other executable paths, namely pathtozip, and pathtounzip
      are only set via config.php, and not through the site admin
      interface. This option, pathtoclam, should follow the same
      design.
      
      Change-Id: I7d4822c9f54eda80682d6631699c1ab40f1dc896
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      2de4e22a
    • Hugh Davenport's avatar
    • Melissa Draper's avatar
      Fix regression with mobile upload token (Bug #1057878) · c73233ef
      Melissa Draper authored
      
      
      New users were getting a token of "Array" set by default
      when their settings were populated. It was useless.
      
      Tokens were not being updated on the website. This was
      due to changes in the api which required the old token
      be passed when refreshing happened, and it was not
      being passed in the json reply.
      
      Change-Id: Ie8425e439b0b59134825c7922cfa887e7ad49c8b
      Signed-off-by: default avatarMelissa Draper <melissa@catalyst.net.nz>
      c73233ef
  8. 05 Oct, 2012 1 commit
  9. 03 Oct, 2012 2 commits
  10. 27 Sep, 2012 4 commits
  11. 26 Sep, 2012 1 commit
  12. 25 Sep, 2012 2 commits
  13. 24 Sep, 2012 3 commits
  14. 23 Sep, 2012 2 commits
  15. 21 Sep, 2012 1 commit
  16. 20 Sep, 2012 2 commits
  17. 19 Sep, 2012 4 commits
  18. 18 Sep, 2012 1 commit