Debian Security Advisory
DSA-1822-1 mahara -- insufficient input sanitization
- Date Reported:
- 23 Jun 2009
- Affected Packages:
- mahara
- Vulnerable:
- Yes
- Security database references:
- No other external database security references currently available.
- More information:
-
It was discovered that mahara, an electronic portfolio, weblog, and resume builder is prone to several cross-site scripting attacks, which allow an attacker to inject arbitrary HTML or script code and steal potential sensitive data from other users.
The oldstable distribution (etch) does not contain mahara.
For the stable distribution (lenny), this problem has been fixed in version 1.0.4-4+lenny3.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in version 1.1.5-1.
We recommend that you upgrade your mahara packages.
- Fixed in:
-
Debian GNU/Linux 5.0 (lenny)
- Source:
- http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny3.diff.gz
- http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny3.dsc
- http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny3.dsc
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny3_all.deb
- http://security.debian.org/pool/updates/main/m/mahara/mahara-apache2_1.0.4-4+lenny3_all.deb
- http://security.debian.org/pool/updates/main/m/mahara/mahara-apache2_1.0.4-4+lenny3_all.deb
MD5 checksums of the listed files are available in the original advisory.