Should not be able to execute CLI scripts from the web
Bug #1387903 reported by
Aaron Wells
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Aaron Wells | ||
1.10 |
Fix Released
|
High
|
Unassigned | ||
1.8 |
Fix Released
|
High
|
Unassigned | ||
1.9 |
Fix Released
|
High
|
Unassigned | ||
15.04 |
Fix Released
|
High
|
Aaron Wells |
Bug Description
Mahara includes a few scripts that are meant to be executed only from the command line (most notably the ones under /admin/cli. Currently, though, there's no check to make sure these are being accessed from the command-line rather than from the web server!
This is a security flaw. CLI scripts are intended to be accessible only by admins with CLI access to the server.
Since we put "define('CLI', 1);" at the top of every CLI script, it should be easy to safeguard against this.
CVE References
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Credit: This bug was reported to me by Aaron Barnes at Catalyst IT.