mahara-contributors team mailing list archive

[Aaron Wells <1190788@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Private security bug reported:

Subject:        Found Critical XSS Vulnerability on Your System

Hello,

I found a really critical XSS (Cross Site Scripting) vulnerability on
mahara.org. The vulnerability works as follows:

1) I opened the demo account on Mahara and logged in the admin account
by using the link "http://demo.mahara.org/";.

2) Then I clicked admin avatar picture to go to user details page.

3) After that I clicked "edit this page" button.

4) Then I dragged "File(s) to Download image to About me section of the page.
5) I created a .swf file that contains ActionScript codes. I also attached that file to this email.

6) I uploaded that XSS.swf file.

7) When I open XSS.swf file on browser, I saw the alert message showing
SOLVER (my nickname)

8) Example script:
http://demo.mahara.org/artefact/file/download.php?file=247

By using this XSS vulnerability, an attacker can steal Mahara users'
cookies, and their accounts. Furthermore, the attacker can redirect
users to a harmful website that contains trojan horse, malware or a
JavaScript downloader to get full access on the users' computers. This
issue can get bigger by using a XSS Worm, and influence even some other
Mahara product users.

As a simple solution, the content of the file that is about to be
uploaded should be checked against harmful scripts and codes.

** Affects: mahara
     Importance: High
     Assignee: Aaron Wells (u-aaronw)
         Status: Confirmed


** Tags: flash security

** Attachment added: "The SWF file the reportee attached"
   https://bugs.launchpad.net/bugs/1190788/+attachment/3702734/+files/XSS.swf

** Information type changed from Public to Private Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1190788

Title:
  Can cause arbitrary SWF files to execute in the browser

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  Subject:        Found Critical XSS Vulnerability on Your System

  Hello,

  I found a really critical XSS (Cross Site Scripting) vulnerability on
  mahara.org. The vulnerability works as follows:

  1) I opened the demo account on Mahara and logged in the admin account
  by using the link "http://demo.mahara.org/";.

  2) Then I clicked admin avatar picture to go to user details page.

  3) After that I clicked "edit this page" button.

  4) Then I dragged "File(s) to Download image to About me section of the page.
  5) I created a .swf file that contains ActionScript codes. I also attached that file to this email.

  6) I uploaded that XSS.swf file.

  7) When I open XSS.swf file on browser, I saw the alert message
  showing SOLVER (my nickname)

  8) Example script:
  http://demo.mahara.org/artefact/file/download.php?file=247

  By using this XSS vulnerability, an attacker can steal Mahara users'
  cookies, and their accounts. Furthermore, the attacker can redirect
  users to a harmful website that contains trojan horse, malware or a
  JavaScript downloader to get full access on the users' computers. This
  issue can get bigger by using a XSS Worm, and influence even some
  other Mahara product users.

  As a simple solution, the content of the file that is about to be
  uploaded should be checked against harmful scripts and codes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1190788/+subscriptions