Debian Security Advisory

DSA-1736-1 mahara -- insufficient input sanitising

Date Reported:
10 Mar 2009
Affected Packages:
mahara
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2009-0660.
More information:

It was discovered that mahara, an electronic portfolio, weblog, and resume builder, is prone to cross-site scripting attacks, which allows the injection of arbitrary Java or HTML code.

The oldstable distribution (etch) does not contain mahara.

For the stable distribution (lenny), this problem has been fixed in version 1.0.4-4+lenny1.

For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your mahara package.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Source:
http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny1.dsc
http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny1.diff.gz
http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny1_all.deb
http://security.debian.org/pool/updates/main/m/mahara/mahara-apache2_1.0.4-4+lenny1_all.deb

MD5 checksums of the listed files are available in the original advisory.