Arbitrary Code Execution via pathtoclam config setting

Bug #1057238 reported by Hugh Davenport on 2012-09-27
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Hugh Davenport
Hugh Davenport
Hugh Davenport

Bug Description

This bug is related to bug #1055232

The ability of the administrator to set the path to clamav can be
abused. For instance changing the path to clamav from '/path/to/av' to
'/path/to/maharadata/artefact/file/originals/9/9' can cause a
malicious uploaded file to be executed. This requires that the saved file
is set to executable on upload, which currently it is.

They could also potentially set it to /bin/bash, allowing any user to upload
a shell script that doesn't require the executable bit set to run.

- Because installing antivirus will require shell access to the
server it seems reasonable to require setting the path to the AV be
done in a configuration file rather than a settings page. It could be
argued that in web applications generally, admin web access should not
be equivalent to shell access, due to relatively ease of session
compromise (as compared to shell access).
- Uploaded files should not be set to executable.

CVE References

Hugh Davenport (hugh-davenport) wrote :

First fix, for master

Hugh Davenport (hugh-davenport) wrote :

First fix, for 1.4

Hugh Davenport (hugh-davenport) wrote :

First fix, for 1.2

Hugh Davenport (hugh-davenport) wrote :

Second fix, for master

Hugh Davenport (hugh-davenport) wrote :

Second fix, upgrade script to remove existing executable bits. For master

Hugh Davenport (hugh-davenport) wrote :

2nd fix upgrade, 1.6

Hugh Davenport (hugh-davenport) wrote :

2nd fix upgrade 1.5

Hugh Davenport (hugh-davenport) wrote :

2nd fix, for 1.4

Hugh Davenport (hugh-davenport) wrote :

2nd fix, 1.4 upgrade

2nd fix, 1.2 upgrade

Sorry, these bugs have the wrong bug number in the commit message, as they came from bug #1055232 originally. I will change them in my git branch for when we release.

Also, the -2 meaning 1st fix and -3 meaning 2nd fix may be confusing to some.

If there is no patch for the version you wish to patch, then pick the next highest version and so on until you hit the master patches. ie bug-1055232-3-14.patch is for 1.2, 1.3 and 1.4 for fix 2

Changed in mahara:
status: Confirmed → In Progress
Melissa Draper (melissa) on 2012-10-10
visibility: private → public
Changed in mahara:
status: In Progress → Fix Released

Hash: SHA1

 status fixreleased
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers