[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
** Changed in: mahara Assignee: (unassigned) => Ruslan Kabalin (ruslan-kabalin) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
** Tags added: https -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
Thanks for the clarification Iñaki ! -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
I have just read the last developer meeting minutes, and wanted to clarify that I'm fine with the removal :-) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
During upgrade, we'll need to make sure admins are warned about this change. I suggest a pre-upgrade check that will abort the whole upgrade if httpswwwroot is set in config.php. A message like this could be displayed: "HTTPS logins have been removed. You need to remove the httpswwwroot variable and switch your wwwroot to https." and then a link to this wiki page for more details: http://wiki.mahara.org/Release_Notes/1.4.0/Removal_of_httpswwwroot -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
Then, so be it! -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
I agree, full SSL support is required. httpswwwroot config option should be deprecated. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
and here's the Google link I forgot to include: http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
As Firesheep (http://codebutler.com/firesheep?c=1) has pointed out, logins are not the only thing that needs to be protected. Session theft is now a very real threat. Also, Google has released numbers showing that the overhead of SSL is actually fairly small. We should probably encourage people to run full SSL sites, especially if they already have a cert for their logins. No? -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
As Andrew points out, due to the way we deal with logins (at the same URL with a transitent content, instead of using a round trip to a different login URL like Moodle does), it's completely impossible to make the Ajax based login work with it (the Javascript security model forbids it, as it's clearly a XSS). I talked about this with Nigel when I developed the patch, and he thought the feature was still valuable (and demanded[*]) even if we didn't protect the ajax based logins, so that's why it got in. On the other hand, I don't think httpswwwroot could break mnet certs. We don't use httpswwwroot for anything touching mnet at all (if I'm not mistaken), only for local logins, and only for the login process itself (so exports shouldn't be affected either). I guess we are not going to change the way logins are handled, so this is a bit of a dead end. [*] Many people don't need or aren't interested in protecting the contents of their Mahara site, but they need to protect their usernames and passwords (e.g., they may be using their LDAP credentials, that are reused in other more security-sensitive environments). And running the whole site on SSL just to protect logins is overkill IMHO (and quite a CPU burden if your site is used more than occasionally, even if CPUs have gotten better at crypto). Saludos. Iñaki. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
Yeah sounds like removing httpswwwroot is the solution. ** Changed in: mahara Importance: Undecided => Medium ** Changed in: mahara Status: New => Confirmed ** Changed in: mahara Milestone: None => 1.4.0 ** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp