We have investigated a serious security bug in Mahara 1.5.x Series which allows to upload virus infected file. This loophole/bug allows to upload the infected file without scanning it and from Mahara user interface this gives an impression that the file was scanned successfully.
The issue is happening in the function mahara_clam_scan_file defined in /htdocs/lib/uploadmanager.php. This ClamAV Bug #1055239 fix this issue which is only applied to Mahara 1.6.0. According to my investigation this should be applied to all existing supported releases of Mahara including 1.5.x. Exactly this happens at /htdocs/lib/uploadmanager.php Line 309 $cmd = $pathtoclam .' '. escapeshellarg($fullpath) ." 2>&1"; where escapeshellarg($fullpath) returns NULL value and as a result the ClamAV is scanning existing directory and gives OK status for virus infected file. We used the ClamAV test file to replicate this issue. The PHP escapeshellarg function expects a string and an array is passed to it which gives NULL as a result and due to same reason chmod also fails at line 313. Following is the error log entry, Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] [WAR] 60 (lib/uploadmanager.php:313) chmod() expects parameter 1 to be string, array given, referer: https://localhost/view/blocks.php?id=10 [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] Call stack (most recent first):, referer: https://localhost/view/blocks.php?id=10 [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * log_message("chmod() expects parameter 1 to be string, array gi...", 8, true, true, "/htdocs/lib/uploadmanager.php", 313) at /htdocs/lib/errors.php:446, referer: https://$ [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * error(2, "chmod() expects parameter 1 to be string, array gi...", "/htdocs/lib/uploadmanager.php", 313, array(size 6)) at Unknown:0, referer: https://localhost/v$ [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * chmod(array(size 1), 420) at /htdocs/lib/uploadmanager.php:313, referer: https://localhost/view/blocks.php?id=10 [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * mahara_clam_scan_file(array(size 5), 0) at /htdocs/lib/uploadmanager.php:114, referer: https://localhost/view/blocks.php?id=10 [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * upload_manager->preprocess_file() at /htdocs/artefact/file/lib.php:950, referer: https://localhost/view/blocks.php?id=10 [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * ArtefactTypeFile::save_uploaded_file("userfile", object(stdClass), 0) at /htdocs/artefact/file/form/elements/filebrowser.php:756, referer: https://localhost/view$ [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * pieform_element_filebrowser_upload(object(Pieform), array(size 13), array(size 5)) at /htdocs/artefact/file/form/elements/filebrowser.php:587, referer: https://eportfolio.us$ [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * pieform_element_filebrowser_doupdate(object(Pieform), array(size 13)) at /htdocs/artefact/file/form/elements/filebrowser.php:356, referer: https://localhost/view$ [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * pieform_element_filebrowser_get_value(object(Pieform), array(size 13)) at /htdocs/lib/pieforms/pieform.php:800, referer: https://localhost/view/blocks.php?id=549$ [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * Pieform->get_value(array(size 13)) at /htdocs/lib/pieforms/pieform.php:1251, referer: https://localhost/view/blocks.php?id=10 [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * Pieform->get_submitted_values() at /htdocs/lib/pieforms/pieform.php:490, referer: https://localhost/view/blocks.php?id=10 [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * Pieform->__construct(array(size 15)) at /htdocs/blocktype/lib.php:871, referer: https://localhost/view/blocks.php?id=10 [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] * BlockInstance->build_configure_form() at /htdocs/view/blocks.php:83, referer: https://localhost/view/blocks.php?id=10 [Wed Dec 12 09:55:07 2012] [error] [client 192.168.0.110] , referer: https://localhost/view/blocks.php?id=10 Following is the PHP debugging for this issue that we did. Also wonder that the code is inherited from Moodle so need to check with Moodle also! PHP debuggging without fix 2 files uploaded In the Loop isset($inputindex) : $tmpfile: NULL In the Loop is_array($file) && is_uploaded_file($tmpname) $fullpath: array(2) { [0]=> string(14) "/tmp/phpDdqaTc" [1]=> string(14) "/tmp/phpM4aRv1" } $escapeshellarg($fullpath): NULL $escapeshellcmd($fullpath): NULL $cmd: string(24) "/usr/bin/clamdscan 2>&1" $output: array(5) { [0]=> string(28) "/htdocs/artefact/file: OK" [1]=> string(0) "" [2]=> string(36) "----------- SCAN SUMMARY -----------" [3]=> string(17) "Infected files: 0" [4]=> string(25) "Time: 0.124 sec (0 m 0 s)" } $return): int(0) In the Loop isset($inputindex) : $tmpfile: NULL In the Loop is_array($file) && is_uploaded_file($tmpname) $fullpath: array(2) { [0]=> string(14) "/tmp/phpDdqaTc" [1]=> string(14) "/tmp/phpM4aRv1" } $escapeshellarg($fullpath): NULL $escapeshellcmd($fullpath): NULL $cmd: string(24) "/usr/bin/clamdscan 2>&1" $output: array(5) { [0]=> string(28) "/htdocs/artefact/file: OK" [1]=> string(0) "" [2]=> string(36) "----------- SCAN SUMMARY -----------" [3]=> string(17) "Infected files: 0" [4]=> string(25) "Time: 0.112 sec (0 m 0 s)" } $return): int(0) PHP debuggging without fix 1 file uploaded In the Loop isset($inputindex) : $tmpfile: NULL In the Loop is_array($file) && is_uploaded_file($tmpname) $fullpath: array(1) { [0]=> string(14) "/tmp/php3gkh1m" } $escapeshellarg($fullpath): NULL $escapeshellcmd($fullpath): NULL $cmd: string(24) "/usr/bin/clamdscan 2>&1" $output: array(5) { [0]=> string(28) "/htdocs/artefact/file: OK" [1]=> string(0) "" [2]=> string(36) "----------- SCAN SUMMARY -----------" [3]=> string(17) "Infected files: 0" [4]=> string(25) "Time: 0.124 sec (0 m 0 s)" } $return: int(0) PHP debuggging with fix 2 files uploaded In the Loop isset($inputindex) : $tmpfile: NULL In the Loop is_array($file) && is_uploaded_file($tmpname) $fullpath: string(14) "/tmp/phpvnyvSe" $escapeshellarg($fullpath): string(16) "'/tmp/phpvnyvSe'" $escapeshellcmd($fullpath): string(14) "/tmp/phpvnyvSe" $cmd: string(38) "/usr/bin/clamdscan /tmp/phpvnyvSe 2>&1" $output: array(5) { [0]=> string(38) "/tmp/phpvnyvSe: ClamAV-Test- File FOUND" [1]=> string(0) "" [2]=> string(36) "----------- SCAN SUMMARY -----------" [3]=> string(17) "Infected files: 1" [4]=> string(25) "Time: 0.258 sec (0 m 0 s)" } $return): int(1) In the Loop isset($inputindex) : $tmpfile: NULL In the Loop is_array($file) && is_uploaded_file($tmpname) $fullpath: string(14) "/tmp/php0nP112" $escapeshellarg($fullpath): string(16) "'/tmp/php0nP112'" $escapeshellcmd($fullpath): string(14) "/tmp/php0nP112" $cmd: string(38) "/usr/bin/clamdscan /tmp/php0nP112 2>&1" $output: array(5) { [0]=> string(38) "/tmp/php0nP112: ClamAV-Test- File FOUND" [1]=> string(0) "" [2]=> string(36) "----------- SCAN SUMMARY -----------" [3]=> string(17) "Infected files: 1" [4]=> string(25) "Time: 0.237 sec (0 m 0 s)" } $return): int(1) PHP debuggging with fix 1 file uploaded In the Loop isset($inputindex) : $tmpfile: NULL In the Loop is_array($file) && is_uploaded_file($tmpname) $fullpath: string(14) "/tmp/php8pJlgm" $escapeshellarg($fullpath): string(16) "'/tmp/php8pJlgm'" $escapeshellcmd($fullpath): string(14) "/tmp/php8pJlgm" $cmd: string(38) "/usr/bin/clamdscan /tmp/php8pJlgm 2>&1" $output: array(5) { [0]=> string(38) "/tmp/php8pJlgm: ClamAV-Test- File FOUND" [1]=> string(0) "" [2]=> string(36) "----------- SCAN SUMMARY -----------" [3]=> string(17) "Infected files: 1" [4]=> string(25) "Time: 0.257 sec (0 m 0 s)" } $return): int(1) Also haven't investigated the scenario when the logic at line 288 is used: else if (is_array($file)) { $tmpname = $file['tmp_name']; } -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/1055239 Title: ClamAV doesn't support scanning multifile uploads Status in Mahara ePortfolio: Fix Released Bug description: When a user uploads using the new HTML multifile upload support, the file is scanned by clamav. The code for this scanning assumes the single upload still. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1055239/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
