Forums | Mahara Community
Security Announcements
/
HTTPS downgrade in Mahara 1.2.8 and 1.3.5
09 May 2011, 21:06
Category: | HTTPS to HTTP downgrade |
Severity: | Low |
Versions affected: | < 1.2.9, < 1.3.6 |
Reported by: | Mahara Team |
Identifier: | CVE-2011-1406 |
It has been pointed out to us that if Mahara is configured (through its wwwroot variable) to use HTTPS, it will happily let users login via the HTTP version of the site if the web server is configured to serve content over both protocol. The new version of Mahara will, when the wwwroot points to an HTTPS URL, automatically redirect to HTTPS if it detects that it is being run over HTTP.
We recommend that sites wanting to run Mahara over HTTPS make sure that their web server configuration does not allow the serving of content over HTTP and merely redirects to the secure version. We also suggest that site administrators consider adding the HSTS headers to their web server configuration.