Mahara

XSS using user uploaded SVG files

Bug #1061980 reported by Hugh Davenport on 2012-10-05

260

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	Critical	Hugh Davenport	Mahara 1.6.0
1.4	Fix Released	Critical	Hugh Davenport	Mahara 1.4.5
1.5	Fix Released	Critical	Hugh Davenport	Mahara 1.5.4

Bug Description

I have come across a serious security issue on Mahara version 1.5 which can
allow an attacker to store malicious script on latest version of Mahara.

*Testing Environent:*
*
Operating System:* Windows 7 (32-bit)
*Web Server: *WAMP v2.2
*Browser:* Mozilla Firefox v15.0.1

*Vulnerable Path URL Location:* http://localhost/mahara/artefact/file/

*Description*: I uploaded a SVG file with malicious payload, Since there
was no validation of the malicious content, I was successful to upload a
file with malicous script.

Kindly find the screenshots as an attachment along with this mail.

I request you to kindly implement proper sanitization for handling file
contents.

Thank You.

Tags:

CVE References

2012-2247

Revision history for this message

Hugh Davenport (hugh-davenport) wrote on 2012-10-05:

Confirmed for all versions back to 1.2, patches are available and will be uploaded in the next few days

Hugh Davenport (hugh-davenport) on 2012-10-09

Changed in mahara:
status:	Confirmed → In Progress

Melissa Draper (melissa) on 2012-10-10

visibility:

private → public

Revision history for this message

Shen (shzhang) wrote on 2012-10-11:

Where can I find the patches? We are looking at get this fixed on the individual files instead of doing a whole system upgrade.

Thanks.

Revision history for this message

Hugh Davenport (hugh-davenport) wrote on 2012-10-11:

bug-1061980.patch Edit (1.5 KiB, text/plain)

This patch depends on bug #1055232

Revision history for this message

Hugh Davenport (hugh-davenport) wrote on 2012-10-11:

Hi Shen,

If you would prefer using git to patch your code, see the latest commits on the branches 1.4_STABLE, 1.5_STABLE, 1.6_STABLE and master (1.6 and master may not be the latest patches as are in current development).

Cheers,

Hugh

Hugh Davenport (hugh-davenport) on 2012-10-23

Changed in mahara:
status:	In Progress → Fix Released

Revision history for this message

Hugh Davenport (hugh-davenport) wrote on 2012-11-08:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

status fixreleased
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iJwEAQECAAYFAlCbHO8ACgkQuMoJ2LQ3zxH8TAP/YN4BiCJZsn5a899/0UzV31Qg
lM8LXAwZWa6zFv6t0BQUHCqe6eFK9wPp51qgCWWXjUZ3vvvVcsyeWp6626aBFKSU
pCQXI9E7huPw802nJQ9WcZXRBUmgw87ww72Tx4mybnu7SPSrkZgXdnPGSMwDs89N
oWvTpl7Xuac48e6p0lU=
=ouU+
-----END PGP SIGNATURE-----

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

bug-1061980.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.