Debian Security Advisory

DSA-2030-1 mahara -- sql injection

Date Reported:
06 Apr 2010
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2010-0400.
More information:

It was discovered that mahara, an electronic portfolio, weblog, and resume builder is not properly escaping input when generating a unique username based on a remote user name from a single sign-on application. An attacker can use this to compromise the mahara database via crafted user names.

For the stable distribution (lenny), this problem has been fixed in version 1.0.4-4+lenny5.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 1.2.4-1.

We recommend that you upgrade your mahara packages.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.