mahara-contributors team mailing list archive

[Son Nguyen <1508684@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Private security bug reported:

Version: 1.10, 15.04. 15.10, master
Platform: any

There is a unserialize vulnerability in skin import function

see line 200 in htdocs/skin/import.php

When importing the attached skin, you will see the error:

[WAR] ce (lib/web.php:3684) Object of class __PHP_Incomplete_Class could not be converted to string
Call stack (most recent first):
log_message("Object of class __PHP_Incomplete_Class could not b...", 8, true, true, "/var/www/mahara/master/htdocs/lib/web.php", 3684) at /var/www/mahara/master/htdocs/lib/errors.php:441
error(4096, "Object of class __PHP_Incomplete_Class could not b...", "/var/www/mahara/master/htdocs/lib/web.php", 3684, array(size 5)) at /var/www/mahara/master/htdocs/lib/web.php:3684
clean_css(object(__PHP_Incomplete_Class), true) at /var/www/mahara/master/htdocs/skin/import.php:200
importskinform_submit(object(Pieform), array(size 4)) at Unknown:0
call_user_func_array("importskinform_submit", array(size 2)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:537
Pieform->__construct(array(size 4)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:164
Pieform::process(array(size 4)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:71
pieform(array(size 4)) at /var/www/mahara/master/htdocs/skin/import.php:64

** Affects: mahara
     Importance: Critical
     Assignee: Son Nguyen (ngson2000)
         Status: Confirmed

** Attachment added: "myskin.xml"
   https://bugs.launchpad.net/bugs/1508684/+attachment/4502005/+files/myskin.xml

** Information type changed from Public to Private Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1508684

Title:
  Unserialize untrusted data when importing skins

Status in Mahara:
  Confirmed

Bug description:
  Version: 1.10, 15.04. 15.10, master
  Platform: any

  There is a unserialize vulnerability in skin import function

  see line 200 in htdocs/skin/import.php

  When importing the attached skin, you will see the error:

  [WAR] ce (lib/web.php:3684) Object of class __PHP_Incomplete_Class could not be converted to string
  Call stack (most recent first):
  log_message("Object of class __PHP_Incomplete_Class could not b...", 8, true, true, "/var/www/mahara/master/htdocs/lib/web.php", 3684) at /var/www/mahara/master/htdocs/lib/errors.php:441
  error(4096, "Object of class __PHP_Incomplete_Class could not b...", "/var/www/mahara/master/htdocs/lib/web.php", 3684, array(size 5)) at /var/www/mahara/master/htdocs/lib/web.php:3684
  clean_css(object(__PHP_Incomplete_Class), true) at /var/www/mahara/master/htdocs/skin/import.php:200
  importskinform_submit(object(Pieform), array(size 4)) at Unknown:0
  call_user_func_array("importskinform_submit", array(size 2)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:537
  Pieform->__construct(array(size 4)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:164
  Pieform::process(array(size 4)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:71
  pieform(array(size 4)) at /var/www/mahara/master/htdocs/skin/import.php:64

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1508684/+subscriptions