Possible https to http downgrade
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
High
|
Ruslan Kabalin | ||
| 1.2 |
Fix Released
|
High
|
Ruslan Kabalin | ||
| 1.3 |
Fix Released
|
High
|
Ruslan Kabalin | ||
Bug Description
Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue.
Even though $cfg->wwwroot might be set 'https:/
This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://
This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg->wwwroot = 'https:/
CVE References
| summary: |
- If wwwroot is defined to use https, it is not the fact that it is being - used. + Possible https to http downgrade |
| Changed in mahara: | |
| status: | Confirmed → In Progress |
| Changed in mahara: | |
| assignee: | nobody → Ruslan Kabalin (ruslan-kabalin) |
| visibility: | private → public |
| Changed in mahara: | |
| status: | In Progress → Fix Committed |
| Changed in mahara: | |
| status: | Fix Committed → Fix Released |
| milestone: | 1.4.0 → none |

Another thing that is worth doing as far as the server configuration is concerned is to enable HSTS:
http:// en.wikipedia. org/wiki/ HTTP_Strict_ Transport_ Security www.debian- administration. org/article/ 662/Enabling_ HTTP_Strict_ Transport_ Security_ on_debian_ servers
http://