mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #64063
[Bug 1944979] A patch has been submitted for review
Patch for "21.10_DEV" branch: https://reviews.mahara.org/12198
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1944979
Title:
Path traversal leads to unauthenticated HTML file disclosure
Status in Mahara:
Fix Released
Status in Mahara 20.04 series:
Fix Released
Status in Mahara 20.10 series:
Fix Released
Status in Mahara 21.04 series:
Fix Released
Bug description:
Hello again! Mahara's help API blocks / characters but replaces the -
with / in the `page` parameter (see
https://git.mahara.org/mahara/mahara/-/blob/master/htdocs/lib/mahara.php#L376)
and this allows unauthenticated path traversal. The thing that
prevents this from being a really bad vulnerability is that the
application appends a .html to the path so the files that can be
leaked are quite limited. However, the export feature leaves
potentially-private user data on disk... in .html format!
To reproduce, visit
http://localhost:6142/mahara/json/help.php?plugintype=core&pluginname=view&page=..-..-..-..-..-js-
tinymce-plugins-mathslate-help
It will show the contents of the tinymce plugin's help.html file that
lives in the Mahara directory structure.
The vulnerable code mentioned above is in the `get_helpfile_location`
function.
```php
if ($page) {
$pagebits = explode('-', $page);
$file = array_pop($pagebits) . '.html';
if ($plugintype != 'core') {
$subdir .= 'pages/' . join('/', $pagebits) . '/';
}
else {
$subdir .= 'pages/' . $pluginname . '/' . join('/', $pagebits) . '/';
}
}
```
This "split on - and join with /" logic allows the path traversal. The
final path should be checked to make sure it's still inside the help/
directory.
The real impact of this vulnerability comes from the fact that after
using the export function
(http://localhost:6142/mahara/export/index.php) the HTML data of a
user remains on disk for a while.
```shell
root@692678e7a88b:/# find /mahara/data/ -name '*.html'
/mahara/data/export/1/1632482909/HTML/views/21_Untitled-v.5/index.html
/mahara/data/export/1/1632482909/HTML/views/8_Untitled-v.2-scrip-alert-1-script-/index.html
/mahara/data/export/1/1632482909/HTML/views/9_Untitled-v.3/index.html
/mahara/data/export/1/1632482909/HTML/views/26_Untitled-v.2-scrip-alert-1-script-/index.html
/mahara/data/export/1/1632482909/HTML/views/30_Untitled-v.6/index.html
/mahara/data/export/1/1632482909/HTML/views/29_Untitled-v.5/index.html
/mahara/data/export/1/1632482909/HTML/views/28_Untitled-v.4/index.html
/mahara/data/export/1/1632482909/HTML/views/6_Profile-page/index.html
/mahara/data/export/1/1632482909/HTML/views/20_Untitled-v.2/index.html
/mahara/data/export/1/1632482909/HTML/views/25_Untitled-v.2/index.html
/mahara/data/export/1/1632482909/HTML/views/14_Untitled-v.4/index.html
/mahara/data/export/1/1632482909/HTML/views/27_Untitled-v.3/index.html
/mahara/data/export/1/1632482909/HTML/index.html
/mahara/data/export/1/1632482909/HTML/content/blog/Admin-Account's-Journal/index.html
/mahara/data/export/1/1632482909/HTML/content/internal/index.html
/mahara/data/export/1/1632482909/HTML/content/plans/aabb/index.html
/mahara/data/export/1/1632482909/HTML/content/plans/whatever/index.html
/mahara/data/export/1/1632482909/HTML/content/resume/index.html
/mahara/data/export/1/1632482909/export_info/files/Import folder 2021-09-17 14:26:19/index.html
/mahara/data/export/1/1632482909/export_info/files/Import folder 2021-09-17 14:26:19/Cover images/index.html
/mahara/data/export/1/1632482909/export_info/files/index.html
/mahara/data/export/1/1632482909/export_info/files/Cover images/index.html
```
Leaking it would require getting the unix timestamp in the path right
but still not impossible if there's no rate-limiting in place. Getting
to the base `/HTML/index.html` file would reveal the names of the
other files they don't need to be guessed.
Suggested CVSS: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 3.7
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1944979/+subscriptions
