mahara-contributors team mailing list archive

Thread
Date

[Bug 1057238] Re: Arbitrary Code Execution via pathtoclam config setting

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Melissa Draper <melissa@xxxxxxxxxxxxx>
Date: Wed, 10 Oct 2012 03:04:36 -0000
Reply-to: Bug 1057238 <1057238@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara/1.5
    Milestone: None => 1.5.4

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1057238

Title:
  Arbitrary Code Execution via pathtoclam config setting

Status in Mahara ePortfolio:
  In Progress
Status in Mahara 1.4 series:
  In Progress
Status in Mahara 1.5 series:
  In Progress

Bug description:
  This bug is related to bug #1055232

  The ability of the administrator to set the path to clamav can be
  abused. For instance changing the path to clamav from '/path/to/av' to
  '/path/to/maharadata/artefact/file/originals/9/9' can cause a
  malicious uploaded file to be executed. This requires that the saved file
  is set to executable on upload, which currently it is.

  They could also potentially set it to /bin/bash, allowing any user to upload
  a shell script that doesn't require the executable bit set to run.

  Fixes:
  - Because installing antivirus will require shell access to the
  server it seems reasonable to require setting the path to the AV be
  done in a configuration file rather than a settings page. It could be
  argued that in web applications generally, admin web access should not
  be equivalent to shell access, due to relatively ease of session
  compromise (as compared to shell access).
  - Uploaded files should not be set to executable.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1057238/+subscriptions