Arbitrary Code Execution via pathtoclam config setting
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
Critical
|
Hugh Davenport | ||
| 1.4 |
Fix Released
|
Critical
|
Hugh Davenport | ||
| 1.5 |
Fix Released
|
Critical
|
Hugh Davenport | ||
Bug Description
This bug is related to bug #1055232
The ability of the administrator to set the path to clamav can be
abused. For instance changing the path to clamav from '/path/to/av' to
'/path/
malicious uploaded file to be executed. This requires that the saved file
is set to executable on upload, which currently it is.
They could also potentially set it to /bin/bash, allowing any user to upload
a shell script that doesn't require the executable bit set to run.
Fixes:
- Because installing antivirus will require shell access to the
server it seems reasonable to require setting the path to the AV be
done in a configuration file rather than a settings page. It could be
argued that in web applications generally, admin web access should not
be equivalent to shell access, due to relatively ease of session
compromise (as compared to shell access).
- Uploaded files should not be set to executable.
CVE References
| Hugh Davenport (hugh-davenport) wrote | #1 |
| Hugh Davenport (hugh-davenport) wrote | #2 |
| Hugh Davenport (hugh-davenport) wrote | #3 |
| Hugh Davenport (hugh-davenport) wrote | #4 |
| Hugh Davenport (hugh-davenport) wrote | #5 |
| Hugh Davenport (hugh-davenport) wrote | #6 |
| Hugh Davenport (hugh-davenport) wrote | #7 |
| Hugh Davenport (hugh-davenport) wrote | #8 |
| Hugh Davenport (hugh-davenport) wrote | #9 |
| Hugh Davenport (hugh-davenport) wrote | #10 |
| Hugh Davenport (hugh-davenport) wrote | #11 |
| Hugh Davenport (hugh-davenport) wrote | #12 |
| Changed in mahara: | |
| status: | Confirmed → In Progress |
| visibility: | private → public |
| Changed in mahara: | |
| status: | In Progress → Fix Released |
| Hugh Davenport (hugh-davenport) wrote | #13 |
First fix, for master