Actions

Developer Area/Significant Bug Documentation

From Mahara Wiki

< Developer Area
Revision as of 15:22, 18 September 2012 by Melissadraper (talk | contribs) (Created page with "= Security bugs = Take care when trying to "fix" the oddities that remedies for these bugs have caused. [https://bugs.launchpad.net/mahara/+bug/1047111 #1047111] <tt> There is…")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Security bugs

Take care when trying to "fix" the oddities that remedies for these bugs have caused.

#1047111

There is a security issue with the default XML parser for PHP, where ENTITY fields are loaded and substituted in text parts.

This allows possible attackers to read from internal networks, or files readable by the web server user.

This includes reading of the config.php file, which contains sensitive information such as the database password, and the password salt field.

The fix for this was to include a call to libxml_disable_entity_loader(true) during the initialization of a page. This is based on a report from Mike Haworth

The vulnerability was present in the admin area when uploading Leap2A users, and also in the user page area where a user could provide a RSS feed with specific XML ENTITY fields.

More information can be found at the following:

http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities
http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html