Should not be able to execute CLI scripts from the web

Bug #1387903 reported by Aaron Wells on 2014-10-30
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mahara
High
Aaron Wells
1.10
High
Unassigned
1.8
High
Unassigned
1.9
High
Unassigned
15.04
High
Aaron Wells

Bug Description

Mahara includes a few scripts that are meant to be executed only from the command line (most notably the ones under /admin/cli. Currently, though, there's no check to make sure these are being accessed from the command-line rather than from the web server!

This is a security flaw. CLI scripts are intended to be accessible only by admins with CLI access to the server.

Since we put "define('CLI', 1);" at the top of every CLI script, it should be easy to safeguard against this.

Tags: cli Edit Tag help

CVE References

Aaron Wells (u-aaronw) wrote :

Credit: This bug was reported to me by Aaron Barnes at Catalyst IT.

Aaron Wells (u-aaronw) wrote :
Robert Lyon (robertl-9) wrote :

Hi Aaron,

On reading this: http://php.net/manual/en/function.php-sapi-name.php#89858 it sounds like checking for 'cli' with php_sapi_name() may return a false negative when php_cgi is in use.

Is that something we need to worry about? Do we need a more robust check to make sure the CLI scripts are run via commandline?

Cheers

Robert

Aaron Wells (u-aaronw) wrote :

Hi Robert,

Nah, a false negative is fine. The CLI is assumed to be more secure than the HTTP interface, so a CLI masquerading as HTTP is not a security problem.

If, as that comment mentions, someone has their server set up so that /usr/bin/php is an alias to the CGI script instead of the PHP CLI executable, well, they won't be able to run the CLI installer or upgrader, but that's because their system is misconfigured.

Cheers,
Aaron

Robert Lyon (robertl-9) on 2014-11-25
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers