mahara-contributors team mailing list archive

Thread
Date
[Bug 1944979] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1944979@xxxxxxxxxxxxxxxxxx>
Date: Thu, 28 Oct 2021 02:44:27 -0000
Reply-to: Bug 1944979 <1944979@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Reviewed:  https://reviews.mahara.org/12198
Committed: https://git.mahara.org/mahara/mahara/commit/f8d64e621af581902de82c8ec76f0283e4495398
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    21.10_DEV

commit f8d64e621af581902de82c8ec76f0283e4495398
Author: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date:   Mon Sep 27 17:12:42 2021 +1300

Security bug 1944979: Able to create a transversible help path

To get to files outside the webroot
These files will need to be .html files for the exploit to work

This patch tries to find the real path for the file and checks to make
sure it's within the webroot and contains 'help/page/' as part of it's
path.

Change-Id: I1c782f2a63e93b7da30ad62cb0acddab8dd75497
Signed-off-by: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
(cherry picked from commit 4b9a1ebcab4dbc3334fe2ddc157c106413bc7898)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1944979

Title:
  Path traversal leads to unauthenticated HTML file disclosure

Status in Mahara:
  Fix Released
Status in Mahara 20.04 series:
  Fix Released
Status in Mahara 20.10 series:
  Fix Released
Status in Mahara 21.04 series:
  Fix Released

Bug description:
  Hello again! Mahara's help API blocks / characters but replaces the -
  with / in the `page` parameter (see
  https://git.mahara.org/mahara/mahara/-/blob/master/htdocs/lib/mahara.php#L376)
  and this allows unauthenticated path traversal. The thing that
  prevents this from being a really bad vulnerability is that the
  application appends a .html to the path so the files that can be
  leaked are quite limited. However, the export feature leaves
  potentially-private user data on disk... in .html format!

  To reproduce, visit
  http://localhost:6142/mahara/json/help.php?plugintype=core&pluginname=view&page=..-..-..-..-..-js-
  tinymce-plugins-mathslate-help

  It will show the contents of the tinymce plugin's help.html file that
  lives in the Mahara directory structure.

  The vulnerable code mentioned above is in the `get_helpfile_location`
  function.

  ```php
      if ($page) {
          $pagebits = explode('-', $page);
          $file = array_pop($pagebits) . '.html';
          if ($plugintype != 'core') {
              $subdir .= 'pages/' . join('/', $pagebits) . '/';
          }
          else {
              $subdir .= 'pages/' . $pluginname . '/' . join('/', $pagebits) . '/';
          }
      }
  ```

  This "split on - and join with /" logic allows the path traversal. The
  final path should be checked to make sure it's still inside the help/
  directory.

  The real impact of this vulnerability comes from the fact that after
  using the export function
  (http://localhost:6142/mahara/export/index.php) the HTML data of a
  user remains on disk for a while.

  ```shell
  root@692678e7a88b:/# find /mahara/data/ -name '*.html'
  /mahara/data/export/1/1632482909/HTML/views/21_Untitled-v.5/index.html
  /mahara/data/export/1/1632482909/HTML/views/8_Untitled-v.2-scrip-alert-1-script-/index.html
  /mahara/data/export/1/1632482909/HTML/views/9_Untitled-v.3/index.html
  /mahara/data/export/1/1632482909/HTML/views/26_Untitled-v.2-scrip-alert-1-script-/index.html
  /mahara/data/export/1/1632482909/HTML/views/30_Untitled-v.6/index.html
  /mahara/data/export/1/1632482909/HTML/views/29_Untitled-v.5/index.html
  /mahara/data/export/1/1632482909/HTML/views/28_Untitled-v.4/index.html
  /mahara/data/export/1/1632482909/HTML/views/6_Profile-page/index.html
  /mahara/data/export/1/1632482909/HTML/views/20_Untitled-v.2/index.html
  /mahara/data/export/1/1632482909/HTML/views/25_Untitled-v.2/index.html
  /mahara/data/export/1/1632482909/HTML/views/14_Untitled-v.4/index.html
  /mahara/data/export/1/1632482909/HTML/views/27_Untitled-v.3/index.html
  /mahara/data/export/1/1632482909/HTML/index.html
  /mahara/data/export/1/1632482909/HTML/content/blog/Admin-Account's-Journal/index.html
  /mahara/data/export/1/1632482909/HTML/content/internal/index.html
  /mahara/data/export/1/1632482909/HTML/content/plans/aabb/index.html
  /mahara/data/export/1/1632482909/HTML/content/plans/whatever/index.html
  /mahara/data/export/1/1632482909/HTML/content/resume/index.html
  /mahara/data/export/1/1632482909/export_info/files/Import folder 2021-09-17 14:26:19/index.html
  /mahara/data/export/1/1632482909/export_info/files/Import folder 2021-09-17 14:26:19/Cover images/index.html
  /mahara/data/export/1/1632482909/export_info/files/index.html
  /mahara/data/export/1/1632482909/export_info/files/Cover images/index.html
  ```

  Leaking it would require getting the unix timestamp in the path right
  but still not impossible if there's no rate-limiting in place. Getting
  to the base `/HTML/index.html` file would reveal the names of the
  other files they don't need to be guessed.

  Suggested CVSS: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 3.7

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1944979/+subscriptions