Don't send plaintext RSS password back to browser
Bug #1016253 reported by
Darren James Harkness
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Critical
|
Son Nguyen | ||
1.5 |
Fix Released
|
Critical
|
Unassigned | ||
1.6 |
Fix Released
|
Critical
|
Unassigned | ||
1.7 |
Fix Released
|
Critical
|
Unassigned |
Bug Description
The externalfeed block should protect user credentials when authenticated RSS feeds are used. The blocktype in Mahara 1.5.1 appears to store login credentials in cleartext within the database.
This presents an unfortunate vulnerability that could give access to other systems should Mahara's database be compromised.
description: | updated |
Changed in mahara: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in mahara: | |
milestone: | none → 1.6.0 |
status: | Triaged → Confirmed |
Changed in mahara: | |
assignee: | nobody → Son Nguyen (ngson2000) |
status: | Confirmed → In Progress |
Changed in mahara: | |
milestone: | 1.6.0 → 1.7.0 |
information type: | Public → Private Security |
information type: | Private Security → Public Security |
summary: |
- Authenticated RSS feeds should encrypt login credentials + Don't send plaintext RSS password back to browser |
Changed in mahara: | |
milestone: | 1.8.0rc1 → none |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
This is similar to https:/ /bugs.launchpad .net/mahara/ +bug/611045 - if it's not stored in cleartext, the feed can't be updated later. I guess there could be an option to grab the feed once only on block configuration, then throw the password away, but I think the default should be to store and do updates.