Mahara

Mahara needing the HTTP Strict Transport Security (HSTS) header when site is https

Bug #1734767 reported by Robert Lyon on 2017-11-27

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	High	Unassigned	Mahara 18.04.0
16.10	Fix Released	High	Unassigned	Mahara 16.10.7
17.04	Fix Released	High	Unassigned	Mahara 17.04.5
17.10	Fix Released	High	Unassigned	Mahara 17.10.2
18.04	Fix Released	High	Unassigned	Mahara 18.04.0

Bug Description

If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

See original description

CVE References

2017-17455

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2017-12-06:

Fix at https://reviews.mahara.org/#/c/8312/

Reported by Kirti AR.

summary:	- Mahara needing the Content Security Policy (CSP) to define what is/isn't - allowed + Mahara needing the HTTP Strict Transport Security (HSTS) header when + site is https
description:	updated
Changed in mahara:
status:	Confirmed → In Progress

Robert Lyon (robertl-9) on 2018-01-16

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.