Contributors: Difference between revisions
From Mahara Wiki
Line 67: | Line 67: | ||
These people have followed the [[Security | responsible disclosure practise after finding security vulnerabilities in the Mahara project infrastructure]]. | These people have followed the [[Security | responsible disclosure practise after finding security vulnerabilities in the Mahara project infrastructure]]. | ||
* mahara.org vulnerable to the BEAST SSL/TLS attack | ==2018== | ||
* Password auto-complete enabled - [https://m.facebook.com/kirti.ar Kirtikumar Anandrao Ramchandani] | |||
* A problem in the custom DuckDuckGo search setup on mahara.org | * Host header attack on wiki.mahara.org - [https://www.linkedin.com/in/thrivikram-gujarathi-independent-web-penetration-tester-53074796 Thrivikram Gujarathi] | ||
* Not disclosed yet; awaiting reply from the open source project affected - [https://www.linkedin.com/in/nikhil-sahoo-87204b106/ Nikhil Sahoo] and [https://www.linkedin.com/in/ipsita-subhadarshan-sahoo-907b32150/ Ipsita Subhadarshan Sahoo] | |||
* mahara.org servers exposing web server version | |||
==2011-2017== | |||
* Directory listings active on wiki.mahara.org | * mahara.org vulnerable to the BEAST SSL/TLS attack - [http://adamziaja.com Adam Ziaja] | ||
* A problem in the custom DuckDuckGo search setup on mahara.org - [https://twitter.com/secalert David Vieira-Kurz of MajorSeurity] | |||
* mahara.org vulnerable to the CCS SSL/TLS attack (https://www.openssl.org/news/secadv_20140605.txt) | * mahara.org servers exposing web server version - [https://twitter.com/e3amn2l Emanuel Bronshtein] | ||
* Directory listings active on wiki.mahara.org - [https://www.facebook.com/proXy.test Parveen Yadav] & Ankit Bharathan | |||
* SHA-1 intermediate SSL certificates on some *.mahara.org sites | * mahara.org vulnerable to the CCS SSL/TLS attack (https://www.openssl.org/news/secadv_20140605.txt) - [https://twitter.com/pranavvenkats S. Venkatesh] | ||
* SHA-1 intermediate SSL certificates on some *.mahara.org sites - [https://www.facebook.com/TnMcH Mohamed Chamli] | |||
* SPF not setup for @mahara.org email | * SPF not setup for @mahara.org email - [https://www.facebook.com/ashesh1708 Ashesh Kumar] - [http://www.infobittechnologies.com/ Ketan Patil] | ||
* SSL configuration on mahara.org still allowing TLSv1 128 bit RC4-SHA - [https://www.facebook.com/WhiteHatSecuri SaifAllah benMassaoud] | |||
* SSL configuration on mahara.org still allowing TLS_RSA_WITH_RC4_128_SHA and TLS_ECDHE_RSA_WITH_RC4_128_SHA - [http://shawarkhan.com Shawar Khan] | |||
* SSL configuration on mahara.org still allowing TLSv1 128 bit RC4-SHA | * <span id="error-page-phishing">mahara.org printing full requested URL on error pages, which could potentially be part of a very weak phishing attack</span> - [https://twitter.com/Girish0777 Girish Sp] | ||
* X-XSS-Protection header is not set ([https://bugs.launchpad.net/mahara/+bug/1531987 Bug report to improve security allaround]) - [https://www.facebook.com/WhiteHatSecuri SaifAllah benMassaoud] - [http://fb.com/zeex.zeeshan Zeeshan] | |||
* SSL configuration on mahara.org still allowing TLS_RSA_WITH_RC4_128_SHA and TLS_ECDHE_RSA_WITH_RC4_128_SHA | * SPF record for mahara.org breaks length limit - [https://twitter.com/rohittourister Rohit Kumar] | ||
* Some 301 redirects on mahara.org used Host field of HTTP request rather than hard-coded URL; potential for a cache poisoning attack - Vikram Singh Rathore of [https://www.torridnetworks.com/home Torrid Networks Pvt Ltd] | |||
* <span id="error-page-phishing">mahara.org printing full requested URL on error pages, which could potentially be part of a very weak phishing attack</span> | * Content spoofing on 404 page - [https://www.facebook.com/T4YM.phtml Taimoor Abid] | ||
* Strict-Transport-Security header was not set - [https://www.linkedin.com/in/kyawthiha89 Kyaw Thiha] | |||
* X-XSS-Protection header is not set ([https://bugs.launchpad.net/mahara/+bug/1531987 Bug report to improve security allaround]) | * Extend spam protection with DMARC / DKIM - [https://www.facebook.com/sam.patel.9822 Pal Patel] | ||
* Proxy protection to prevent bypassing of X-Frame-Options - [http://Facebook.com/mushrafmustafaofficial Mushraf Mustafa] | |||
* Set Certificate Authority Authorization - [https://www.facebook.com/profile.php?id=100011024580051 Shwetabh Suman] | |||
* SPF record for mahara.org breaks length limit | * DNSSEC and Domain Registry Protection (DRP is not available for .org domains though) - [https://m.facebook.com/kirti.ar Kirtikumar Anandrao Ramchandani] | ||
* Preloading of HSTS and increasing max age for wiki.mahara.org - [https://m.facebook.com/Mr.Ch4rLi3 Ratnadip Gajbhiye] | |||
* Some 301 redirects on mahara.org used Host field of HTTP request rather than hard-coded URL; potential for a cache poisoning attack | |||
* Content spoofing on 404 page | |||
* Strict-Transport-Security header was not set | |||
* Extend spam protection with DMARC / DKIM | |||
* Proxy protection to prevent bypassing of X-Frame-Options | |||
* Set Certificate Authority Authorization | |||
* DNSSEC and Domain Registry Protection (DRP is not available for .org domains though) | |||
* Preloading of HSTS and increasing max age for wiki.mahara.org | |||
=Organizations= | =Organizations= |
Revision as of 17:24, 8 Haziran 2018
Mahara is developed by a world-wide team of programmers, translators, designers and enthusiastic amateurs. Many individuals and groups have contributed to Mahara so far.
Core Teams
- Contributors
- Debian/Ubuntu Packaging
- Release Managers and Maintainers
- Reviewers
- Security
- Translation
Community
Security researchers
Mahara code
This is a list of security researchers that have contributed to Mahara itself. These people have followed the responsible disclosure practise after finding security vulnerabilities in the Mahara codebase.
- Aaron Barnes
- Abdullah Hussam Gazi
- Abhishek Dashora
- Ahmad Ashraff
- Ahmed Jerbi
- Ajay Singh Negi
- Anurag Srivastava
- C Vishnu Vardhan Reddy (Vishnu_dfx)
- chbi
- 陈瑞琦 (Chen Ruiqi)
- Dushyant Sahu
- Dylan S. Hailey
- Emanuel Bronshtein
- FaisaL Ahmed
- Hammad Mahmood
- Hamid Ashraf
- Himanshu Kumar Das
- Jaume Llopis Pujal
- Kamil Sevi
- Kirtikumar Anandrao Ramchandani
- M.R.Vignesh Kumar
- Mahmut Esat Yildirim
- Mike Haworth
- Mushraf Mustafa
- Narendra Bhati (R00t Sh3ll), Web Security Geeks
- Nitin Goplani
- Prashant Negi
- Rafay Baloch
- Roman Mironov
- SaifAllah benMassaoud
- Sajibe Kanti
- Saurabh Chandrakant Nemade
- Sergey Markov
- Shekhar Suman
- Siddhesh Gawde
- Tom Forbes
- Vineet Kumar
- Wan Ikram
- Wen-Chang Chien (簡文章)
- Yuji Tounai
- Zeeshan
Mahara project infrastructure
This second list is of security researchers who have reported security issues with the configuration or version of software used on the infrastructure of the Mahara project which can include all the websites (mahara.org, wiki.mahara.org, manual.mahara.org, langpacks.mahara.org, reviews.mahara.org, git.mahara.org, test.mahara.org) and the servers that host those websites.
These people have followed the responsible disclosure practise after finding security vulnerabilities in the Mahara project infrastructure.
2018
- Password auto-complete enabled - Kirtikumar Anandrao Ramchandani
- Host header attack on wiki.mahara.org - Thrivikram Gujarathi
- Not disclosed yet; awaiting reply from the open source project affected - Nikhil Sahoo and Ipsita Subhadarshan Sahoo
2011-2017
- mahara.org vulnerable to the BEAST SSL/TLS attack - Adam Ziaja
- A problem in the custom DuckDuckGo search setup on mahara.org - David Vieira-Kurz of MajorSeurity
- mahara.org servers exposing web server version - Emanuel Bronshtein
- Directory listings active on wiki.mahara.org - Parveen Yadav & Ankit Bharathan
- mahara.org vulnerable to the CCS SSL/TLS attack (https://www.openssl.org/news/secadv_20140605.txt) - S. Venkatesh
- SHA-1 intermediate SSL certificates on some *.mahara.org sites - Mohamed Chamli
- SPF not setup for @mahara.org email - Ashesh Kumar - Ketan Patil
- SSL configuration on mahara.org still allowing TLSv1 128 bit RC4-SHA - SaifAllah benMassaoud
- SSL configuration on mahara.org still allowing TLS_RSA_WITH_RC4_128_SHA and TLS_ECDHE_RSA_WITH_RC4_128_SHA - Shawar Khan
- mahara.org printing full requested URL on error pages, which could potentially be part of a very weak phishing attack - Girish Sp
- X-XSS-Protection header is not set (Bug report to improve security allaround) - SaifAllah benMassaoud - Zeeshan
- SPF record for mahara.org breaks length limit - Rohit Kumar
- Some 301 redirects on mahara.org used Host field of HTTP request rather than hard-coded URL; potential for a cache poisoning attack - Vikram Singh Rathore of Torrid Networks Pvt Ltd
- Content spoofing on 404 page - Taimoor Abid
- Strict-Transport-Security header was not set - Kyaw Thiha
- Extend spam protection with DMARC / DKIM - Pal Patel
- Proxy protection to prevent bypassing of X-Frame-Options - Mushraf Mustafa
- Set Certificate Authority Authorization - Shwetabh Suman
- DNSSEC and Domain Registry Protection (DRP is not available for .org domains though) - Kirtikumar Anandrao Ramchandani
- Preloading of HSTS and increasing max age for wiki.mahara.org - Ratnadip Gajbhiye
Organizations
A large part of the development on Mahara would not be possible without the funding from institutions and organizations.
Mahara 18.04
- The Australian National University
- Carleton University
- Catalyst
- Central Queensland University
- Landesinstitut für Schulentwicklung (State Institute for School Development in Baden-Württemberg, Germany)
- New Zealand Ministry of Education
- Pace University
- PHBern
- Povsod
- Queen Mary University of London
- SWITCH
- Synergy Learning
- Totara LMS
- University of Sussex
Mahara 17.10
- Auckland University of Technology
- Australian National University
- Blackboard
- Carleton University
- Catalyst
- Central Queensland University
- Dublin City University
- Eticeo
- New Zealand Ministry of Education
- SWITCH
- Teachers College, Columbia University
- Totara LMS
- Université de Montréal
- Université du Québec à Montréal
- University of Southern Queensland
- University of Sussex
Mahara 17.04
- Catalyst
- Catalyst Open Source Academy
- Donau-Universität Krems / ATS2020 Project
- Instructure
- Kineo (Pacific)
- Kwantlen Polytechnic University
- New Zealand Ministry of Education
- Northland District Health Board
- Povsod
- SWITCH
- Te Rito Maioha Early Childhood New Zealand
- Université de Montréal
Mahara 16.10
- Athabasca University
- Australian National University
- Catalyst
- PH Bern
- SWITCH
- Tiroler Schulnetz
- Université du Québec à Montréal
Mahara 16.04
- Athabasca University
- Cardiff University
- Catalyst
- Catalyst Open Source Academy
- Federation University Australia
- Pace University
- Povsod
- Province of Tirol
- Southampton Solent University
- SWITCH
- Université de Montreal
- Yale University
- Zurich University of Applied Sciences
Mahara 15.10
- Catalyst
- Catalyst Open Source Academy
- EdICT Training
- FernUniversität in Hagen
- iCampus 21
- Kwantlen Polytechnic University
- Land Tirol
- National Chi Nan University
- New Zealand Ministry of Education
- Pace University
- Pratt Institute
- SWITCH
- Totara LMS
- Université de Montreal
- Université de Sherbrooke
- University of Southern Queensland
- University of Warwick
- Yale University
Mahara 15.04
Mahara 15.04 was released on 17 April 2015.
- Athabasca University
- Catalyst IT
- Catalyst Open Source Academy
- Hochschule für Bildende Künste Braunchschweig (The Braunschweig University of Art)
- iCampus21
- Lancaster University
- Liip
- New York Institute of Technology
- New Zealand Ministry of Education
- SWITCH
- Teaching and Learning Centre, University of Canberra
- Totara LMS
- Université de Montreal
- University of the Arts London
- Zentrum für Mediales Lernen (Center for Technology-Enhanced Learning) at Karlsruhe Institute of Technology (KIT)
Mahara 1.10
Mahara 1.10 was released on 21 October 2014.
- ARNES
- Catalyst IT
- Center for Open and Distance Learning at Karlsruhe Institute of Technology (KIT)
- iCampus21
- Lancaster University
- New Zealand Ministry of Education
- Pratt Institute
- SWITCH
- Teaching and Learning Centre, University of Canberra
- Totara LMS
Mahara 1.9
Mahara 1.9 was released on 15 April 2014.
- ARNES
- Catalyst IT
- Center for Open and Distance Learning at Karlsruhe Institute of Technology (KIT)
- Deltak Innovation
- Lancaster University
- Liip
- New York Institute of Technology
- New Zealand Ministry of Education
- Principals Australia Institute
- SWITCH
- Teachers College Columbia University
- Totara LMS
- University of the Arts London
Mahara 1.8
Mahara 1.8 was released on 24 October 2013.
- ARNES
- Catalyst IT
- Forth Valley College, Jasmin Jodge
- iCampus21
- Lancaster University
- Massey University
- NetSpot
- New Zealand Ministry of Education
- Teachers College Columbia University
- University of California, San Francisco
- University of the Arts London
Mahara 1.7
Mahara 1.7 was released on 19 April 2013.
Mahara 1.6
Mahara 1.6 was released on 17 April 2012.
- Aotearoa New Zealand Association of Social Workers
- Catalyst IT
- Deltak edu
- Lancaster University
- New Zealand Ministry of Education
- PLANE
- Southampton Solent University
- Teaching and Learning Centre, University of Canberra
- University of the Arts London
Mahara 1.5
Mahara 1.5 was released on 13 June 2011.
- Birmingham City University
- Catalyst IT
- Deltak edu
- Education Services Australia
- Goucher College
- Lancaster University
- New Zealand Ministry of Education
- PLANE
- Rocky View Schools
- Two Sense Media
- United World College of South East Asia
- Teaching and Learning Centre, University of Canberra
Pre Mahara 1.5
The University of Glasgow have funded several pieces of work for us, including View Templates, part of Import/Export (the HTML export is thanks to them), and various bug fixes.
GLISI / Ray Merrill funded enhancements to Mahara's groups, and Ray has provided much invaluable guidance around Mahara's usability.
With JISC funding we were able to add import/export functionality to the Mahara e-portfolio system, as part of the 1.2 release. This work was sponsored by the University of London Computer Centre, University of Glasgow and JISC Cetis.
A collaborative group in the State of New Hampshire funded the ability to submit Mahara Views for assessment in Moodle, through a grant from the New Hampshire Department of Education.
Cambridge University School of Clinical Medicine sponsored the development of the plugin Problems & Conditions.
The BScE at the University of Luxembourg funded the development of the tag cloud, improvements to the feedback function in the 1.2 and 1.3 releases, and bug fixes for Mac servers.
Birmingham City University funded the initial development work for Collections and Plans (new features in Mahara 1.3). They also supported the development of locking down blog posts and files that are used in submitted views.
Lancaster University Network Services (LUNS Ltd.) was funded by Cumbria and Lancashire Education Online (CLEO) to design several features.
The New Zealand Ministry of Education funded a large number of features and usability changes to Mahara 1.4 and 1.5 that were implemented by Catalyst IT