Mahara

Don't send plaintext RSS password back to browser

Bug #1016253 reported by Darren James Harkness
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Critical
Son Nguyen
1.5
Fix Released
Critical
Unassigned
Mahara 1.5.10
1.6
Fix Released
Critical
Unassigned
Mahara 1.6.5
1.7
Fix Released
Critical
Unassigned
Mahara 1.7.1

Bug Description

The externalfeed block should protect user credentials when authenticated RSS feeds are used. The blocktype in Mahara 1.5.1 appears to store login credentials in cleartext within the database.

This presents an unfortunate vulnerability that could give access to other systems should Mahara's database be compromised.

See original description

CVE References

Darren James Harkness (darren-athabascau)
description: updated
Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

This is similar to https://bugs.launchpad.net/mahara/+bug/611045 - if it's not stored in cleartext, the feed can't be updated later. I guess there could be an option to grab the feed once only on block configuration, then throw the password away, but I think the default should be to store and do updates.

Revision history for this message
Darren James Harkness (darren-athabascau) wrote :

The scope of this is a bit larger than the LDAP credentials, given the potential variety in accessible domains.

One could potentially use key-based encryption, storing the key in config.php, using mcrypt. It wouldn't be bulletproof, but it would prevent against SQL injection attacks or misplaced database dumps.

Hugh Davenport (hugh-davenport)
Changed in mahara:
status: New → Triaged
importance: Undecided → Medium
Kristina Hoeppner (kris-hoeppner)
Changed in mahara:
milestone: none → 1.6.0
status: Triaged → Confirmed
Son Nguyen (ngson2000)
Changed in mahara:
assignee: nobody → Son Nguyen (ngson2000)
status: Confirmed → In Progress
Revision history for this message
Son Nguyen (ngson2000) wrote :

https://reviews.mahara.org/#/c/1440/

Hugh Davenport (hugh-davenport)
Changed in mahara:
milestone: 1.6.0 → 1.7.0
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Do you have an RSS feed with credentials that can be used for testing, Son?

Revision history for this message
Son Nguyen (ngson2000) wrote :

Hi Kristina;

I will create an authenticated RSS for you to test.

Revision history for this message
Son Nguyen (ngson2000) wrote :

For testing:

URL: http://ptcjsc.com/wp/?feed=rss2
Username: tester
Password: qwe123

Revision history for this message
Aaron Wells (u-aaronw) wrote :

This one's got a fix that was verified and code-reviewed, but now the rebase causes conflicts. So, we should try to get it straightened out for inclusion in 1.8.0, and 1.7.1 (since leaving sensitive information unencrypted is a security problem).

Changed in mahara:
importance: Medium → High
milestone: 1.7.0 → 1.8.0
importance: High → Critical
Aaron Wells (u-aaronw)
information type: Public → Private Security
Revision history for this message
Aaron Wells (u-aaronw) wrote :

Hm, there are actually two pieces to this bug, which can be implemented separately.

1. Encrypt the RSS feed passwords (and usernames? and maybe even URLs?) in the database, so that a SQL injection vuln that allows people to read the DB won't expose the passwords.

2. Don't send the plaintext passwords (and/or usernames and/or URLs) to the user's browser, so that people who gain access to their account won't be able to read them.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

There was a bug in how Mahara handled it when you edited the username or password on an authenticated RSS feed. That was making it difficult to test this bug, so I've fixed it first: https://reviews.mahara.org/2095

Revision history for this message
Aaron Wells (u-aaronw) wrote :

And here's the fix to issue #2 mention in my previous comment, "Don't send the plaintext passwords (and/or usernames and/or URLs) to the user's browser:

https://reviews.mahara.org/2096

I think we should push this with the security release early this week, and we can work on encrypting them in the database for the next release.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Another minor bug fix under this same heading. Leap2A export format should not include plaintext RSS block password, or else that provides a handy way to bypass the password secrecy.

https://reviews.mahara.org/2098

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Committed and backported to 1.5, 1.6, and 1.7:

Don't include RSS passwords in Leap2A:
• master: https://reviews.mahara.org/#/c/2098/
• 1.7: https://reviews.mahara.org/#/c/2106
• 1.6: https://reviews.mahara.org/#/c/2107
• 1.5: https://reviews.mahara.org/#/c/2108

terminal error with mistaken in auth RSS feed:
• master: https://reviews.mahara.org/#/c/2095/
• 1.7: https://reviews.mahara.org/2109
• 1.6: I accidentally just pushed it instead of submitting to gerrit
• 1.5: https://reviews.mahara.org/2110

don't send RSS password in plaintext:
• master: https://reviews.mahara.org/#/c/2096
• 1.7: https://reviews.mahara.org/#/c/2111
• 1.6: https://reviews.mahara.org/#/c/2112
• 1.5: https://reviews.mahara.org/#/c/2113

Changed in mahara:
status: In Progress → Fix Committed
Aaron Wells (u-aaronw)
information type: Private Security → Public Security
Aaron Wells (u-aaronw)
summary: - Authenticated RSS feeds should encrypt login credentials
+ Don't send plaintext RSS password back to browser
Revision history for this message
Aaron Wells (u-aaronw) wrote :

Spun off the original idea of encrypting the RSS contents in the DB, into a separate bug: https://bugs.launchpad.net/mahara/+bug/1175538

Aaron Wells (u-aaronw)
Changed in mahara:
milestone: 1.8.0rc1 → none
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.