Mahara

Avoid command injection when PDF bulk export is enabled

Bug #1949527 reported by Robert Lyon on 2021-11-02

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	High	Robert Lyon	Mahara 22.04.0
20.10	Fix Released	High	Unassigned	Mahara 20.10.4
21.04	Fix Released	High	Unassigned	Mahara 21.04.3
21.10	Fix Released	High	Unassigned	Mahara 21.10.1
22.04	Fix Released	High	Robert Lyon	Mahara 22.04.0

Bug Description

The patch https://git.mahara.org/mahara/mahara/-/commit/6c15801d04887e482b1f490d8acf6f7c52661eea
doesn't avoid a filename with backticks and a simple command like
`shutdown` could still be executed.

I have to say I didn't test it
though but I wanted to give a heads-up. I think exploitation is fairly
limited now but it could still be used as a denial of service.

I would highly recommend using a whitelist instead of trying to remove
all special characters, something like preg_replace('/[^a-zA-Z0-9_]/',
'-', ...) would make it easier and wouldn't require an exhaustive list
of all potentially malicious characters.

All the best,
Dominic

This is a follow on from Bug 1942903

CVE References

2021-43266

Revision history for this message

Robert Lyon (robertl-9) wrote on 2021-11-02:

https://reviews.mahara.org/#/c/12220/

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2021-11-04:

Follow-on from https://mahara.org/interaction/forum/topic.php?id=8953 - use same CVE and description as there for this issue here as it is hardening. Dominic stays for the credit. We'll also need to update MITRE with the additional bug number for the CVE once this bug has been released.

Robert Lyon (robertl-9) on 2022-02-09

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.