Reviewed: https://reviews.mahara.org/12201 Committed: https://git.mahara.org/mahara/mahara/commit/1a30e5dbbbec8176884d416a6a0a8acf2cec675b Submitter: Robert Lyon ([email protected]) Branch: 20.04_STABLE
commit 1a30e5dbbbec8176884d416a6a0a8acf2cec675b Author: Robert Lyon <[email protected]> Date: Mon Sep 27 17:12:42 2021 +1300 Security bug 1944979: Able to create a transversible help path To get to files outside the webroot These files will need to be .html files for the exploit to work This patch tries to find the real path for the file and checks to make sure it's within the webroot and contains 'help/page/' as part of it's path. Change-Id: I1c782f2a63e93b7da30ad62cb0acddab8dd75497 Signed-off-by: Robert Lyon <[email protected]> (cherry picked from commit 4b9a1ebcab4dbc3334fe2ddc157c106413bc7898) (cherry picked from commit f8d64e621af581902de82c8ec76f0283e4495398) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: mahara-contributors https://bugs.launchpad.net/bugs/1944979 Title: Path traversal leads to unauthenticated HTML file disclosure Status in Mahara: Fix Released Status in Mahara 20.04 series: Fix Released Status in Mahara 20.10 series: Fix Released Status in Mahara 21.04 series: Fix Released Bug description: Hello again! Mahara's help API blocks / characters but replaces the - with / in the `page` parameter (see https://git.mahara.org/mahara/mahara/-/blob/master/htdocs/lib/mahara.php#L376) and this allows unauthenticated path traversal. The thing that prevents this from being a really bad vulnerability is that the application appends a .html to the path so the files that can be leaked are quite limited. However, the export feature leaves potentially-private user data on disk... in .html format! To reproduce, visit http://localhost:6142/mahara/json/help.php?plugintype=core&pluginname=view&page=..-..-..-..-..-js- tinymce-plugins-mathslate-help It will show the contents of the tinymce plugin's help.html file that lives in the Mahara directory structure. The vulnerable code mentioned above is in the `get_helpfile_location` function. ```php if ($page) { $pagebits = explode('-', $page); $file = array_pop($pagebits) . '.html'; if ($plugintype != 'core') { $subdir .= 'pages/' . join('/', $pagebits) . '/'; } else { $subdir .= 'pages/' . $pluginname . '/' . join('/', $pagebits) . '/'; } } ``` This "split on - and join with /" logic allows the path traversal. The final path should be checked to make sure it's still inside the help/ directory. The real impact of this vulnerability comes from the fact that after using the export function (http://localhost:6142/mahara/export/index.php) the HTML data of a user remains on disk for a while. ```shell root@692678e7a88b:/# find /mahara/data/ -name '*.html' /mahara/data/export/1/1632482909/HTML/views/21_Untitled-v.5/index.html /mahara/data/export/1/1632482909/HTML/views/8_Untitled-v.2-scrip-alert-1-script-/index.html /mahara/data/export/1/1632482909/HTML/views/9_Untitled-v.3/index.html /mahara/data/export/1/1632482909/HTML/views/26_Untitled-v.2-scrip-alert-1-script-/index.html /mahara/data/export/1/1632482909/HTML/views/30_Untitled-v.6/index.html /mahara/data/export/1/1632482909/HTML/views/29_Untitled-v.5/index.html /mahara/data/export/1/1632482909/HTML/views/28_Untitled-v.4/index.html /mahara/data/export/1/1632482909/HTML/views/6_Profile-page/index.html /mahara/data/export/1/1632482909/HTML/views/20_Untitled-v.2/index.html /mahara/data/export/1/1632482909/HTML/views/25_Untitled-v.2/index.html /mahara/data/export/1/1632482909/HTML/views/14_Untitled-v.4/index.html /mahara/data/export/1/1632482909/HTML/views/27_Untitled-v.3/index.html /mahara/data/export/1/1632482909/HTML/index.html /mahara/data/export/1/1632482909/HTML/content/blog/Admin-Account's-Journal/index.html /mahara/data/export/1/1632482909/HTML/content/internal/index.html /mahara/data/export/1/1632482909/HTML/content/plans/aabb/index.html /mahara/data/export/1/1632482909/HTML/content/plans/whatever/index.html /mahara/data/export/1/1632482909/HTML/content/resume/index.html /mahara/data/export/1/1632482909/export_info/files/Import folder 2021-09-17 14:26:19/index.html /mahara/data/export/1/1632482909/export_info/files/Import folder 2021-09-17 14:26:19/Cover images/index.html /mahara/data/export/1/1632482909/export_info/files/index.html /mahara/data/export/1/1632482909/export_info/files/Cover images/index.html ``` Leaking it would require getting the unix timestamp in the path right but still not impossible if there's no rate-limiting in place. Getting to the base `/HTML/index.html` file would reveal the names of the other files they don't need to be guessed. Suggested CVSS: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 3.7 To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1944979/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
