CVE-2017-1000171 – Mahara Mobile versions before 1.2.1 log user pa... (How to Fix)

Q: What is the severity of CVE-2017-1000171?

CVE-2017-1000171 has a CVSS score of 9.8 (CRITICAL). Mahara Mobile versions before 1.2.1 log user passwords in plain text in the Mahara access log. This allows anyone with access to these logs to read user credentials. All users of vulnerable Mahara Mobile installations are affected.

📋 TL;DR

Mahara Mobile versions before 1.2.1 log user passwords in plain text in the Mahara access log. This allows anyone with access to these logs to read user credentials. All users of vulnerable Mahara Mobile installations are affected.

💻 Affected Systems

Products:

Mahara Mobile

Versions: All versions before 1.2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the mobile application component of Mahara e-portfolio systems. The vulnerability is in the logging mechanism.

📦 What is this software?

Mahara Mobile by Mahara

View all CVEs affecting Mahara Mobile →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the Mahara system, potentially compromising all user accounts, stealing sensitive data, and using the platform for further attacks.

🟠

Likely Case

Unauthorized users with log access can harvest credentials to impersonate legitimate users, access their data, and potentially pivot to other systems if password reuse occurs.

🟢

If Mitigated

With proper log access controls and monitoring, impact is limited to authorized administrators who could still see passwords but would be audited.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to Mahara access logs, which typically requires some level of system access. The vulnerability is simple to exploit once log access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.1

Vendor Advisory: https://github.com/MaharaProject/mahara-mobile/issues/33

Restart Required: Yes

Instructions:

1. Upgrade Mahara Mobile to version 1.2.1 or later. 2. Restart the Mahara Mobile service. 3. Verify the fix by checking that passwords are no longer logged in plain text.

🔧 Temporary Workarounds

Restrict Log Access

linux

Limit access to Mahara access logs to only authorized administrators.

chmod 640 /path/to/mahara/logs/*
chown root:admin /path/to/mahara/logs/*

Disable Detailed Logging

all

Configure Mahara to not log sensitive authentication data.

Edit Mahara configuration to reduce logging verbosity for authentication events

🧯 If You Can't Patch

Implement strict access controls on log files and directories
Monitor log access and implement alerting for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check Mahara Mobile version. If version is below 1.2.1, examine access logs for plain text password entries.

Check Version:

Check Mahara Mobile configuration or package manager for version information

Verify Fix Applied:

After patching, verify that passwords are no longer visible in plain text in Mahara access logs.

📡 Detection & Monitoring

Log Indicators:

Plain text passwords appearing in Mahara access logs
Unauthorized access to log files

Network Indicators:

Unusual authentication patterns from log file locations

SIEM Query:

source="mahara_logs" AND "password="

📊 Metadata

CVE ID: CVE-2017-1000171

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-532

Published: November 3, 2017

Last Updated: April 20, 2025

🔗 References

https://github.com/MaharaProject/mahara-mobile/issues/33 Third Party Advisory
https://github.com/MaharaProject/mahara-mobile/issues/33 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-1000171, you might also want to check these: