Patch for "20.04_STABLE" branch: https://reviews.mahara.org/12201
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: mahara-contributors https://bugs.launchpad.net/bugs/1944979 Title: Path traversal leads to unauthenticated HTML file disclosure Status in Mahara: Fix Released Status in Mahara 20.04 series: Fix Released Status in Mahara 20.10 series: Fix Released Status in Mahara 21.04 series: Fix Released Bug description: Hello again! Mahara's help API blocks / characters but replaces the - with / in the `page` parameter (see https://git.mahara.org/mahara/mahara/-/blob/master/htdocs/lib/mahara.php#L376) and this allows unauthenticated path traversal. The thing that prevents this from being a really bad vulnerability is that the application appends a .html to the path so the files that can be leaked are quite limited. However, the export feature leaves potentially-private user data on disk... in .html format! To reproduce, visit http://localhost:6142/mahara/json/help.php?plugintype=core&pluginname=view&page=..-..-..-..-..-js- tinymce-plugins-mathslate-help It will show the contents of the tinymce plugin's help.html file that lives in the Mahara directory structure. The vulnerable code mentioned above is in the `get_helpfile_location` function. ```php if ($page) { $pagebits = explode('-', $page); $file = array_pop($pagebits) . '.html'; if ($plugintype != 'core') { $subdir .= 'pages/' . join('/', $pagebits) . '/'; } else { $subdir .= 'pages/' . $pluginname . '/' . join('/', $pagebits) . '/'; } } ``` This "split on - and join with /" logic allows the path traversal. The final path should be checked to make sure it's still inside the help/ directory. The real impact of this vulnerability comes from the fact that after using the export function (http://localhost:6142/mahara/export/index.php) the HTML data of a user remains on disk for a while. ```shell root@692678e7a88b:/# find /mahara/data/ -name '*.html' /mahara/data/export/1/1632482909/HTML/views/21_Untitled-v.5/index.html /mahara/data/export/1/1632482909/HTML/views/8_Untitled-v.2-scrip-alert-1-script-/index.html /mahara/data/export/1/1632482909/HTML/views/9_Untitled-v.3/index.html /mahara/data/export/1/1632482909/HTML/views/26_Untitled-v.2-scrip-alert-1-script-/index.html /mahara/data/export/1/1632482909/HTML/views/30_Untitled-v.6/index.html /mahara/data/export/1/1632482909/HTML/views/29_Untitled-v.5/index.html /mahara/data/export/1/1632482909/HTML/views/28_Untitled-v.4/index.html /mahara/data/export/1/1632482909/HTML/views/6_Profile-page/index.html /mahara/data/export/1/1632482909/HTML/views/20_Untitled-v.2/index.html /mahara/data/export/1/1632482909/HTML/views/25_Untitled-v.2/index.html /mahara/data/export/1/1632482909/HTML/views/14_Untitled-v.4/index.html /mahara/data/export/1/1632482909/HTML/views/27_Untitled-v.3/index.html /mahara/data/export/1/1632482909/HTML/index.html /mahara/data/export/1/1632482909/HTML/content/blog/Admin-Account's-Journal/index.html /mahara/data/export/1/1632482909/HTML/content/internal/index.html /mahara/data/export/1/1632482909/HTML/content/plans/aabb/index.html /mahara/data/export/1/1632482909/HTML/content/plans/whatever/index.html /mahara/data/export/1/1632482909/HTML/content/resume/index.html /mahara/data/export/1/1632482909/export_info/files/Import folder 2021-09-17 14:26:19/index.html /mahara/data/export/1/1632482909/export_info/files/Import folder 2021-09-17 14:26:19/Cover images/index.html /mahara/data/export/1/1632482909/export_info/files/index.html /mahara/data/export/1/1632482909/export_info/files/Cover images/index.html ``` Leaking it would require getting the unix timestamp in the path right but still not impossible if there's no rate-limiting in place. Getting to the base `/HTML/index.html` file would reveal the names of the other files they don't need to be guessed. Suggested CVSS: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 3.7 To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1944979/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
