Session key is not checked during file upload

Bug #1480329 reported by abdullah on 2015-07-31
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Aaron Wells
1.10
High
Unassigned
1.9
High
Unassigned
15.04
High
Unassigned
15.10
High
Aaron Wells

Bug Description

Hi this is Abdullah ,

I found CSRF make user upload files to any group without his know it can be used to attack admins to upload evil files .

PoC :

video

http://www.youtube.com/watch?v=M-NyrwKBzmw&feature=youtu.be

the fix :

check sesskey is valid in (groupfiles.php)

I hope put my name in release note .

Are there a CVE for this bug ?

Thanks

Used mahara least version

CVE References

Hello Abdullah,

Thank you for your report. Our team will review this and get back to you next week with an update.

Cheers
Kristina

Aaron Wells (u-aaronw) on 2015-08-05
Changed in mahara:
importance: Undecided → High
assignee: nobody → Aaron Wells (u-aaronw)
milestone: none → 15.10.0
status: New → In Progress
Aaron Wells (u-aaronw) wrote :

I was able to replicate this bug. Essentially the problem is that the filebrowser Pieform element, in the event of a file upload, does all the necessary processing and returns a result message entirely in the pieform->get_value() stage (via pieform_element_filebrowser_get_value()). Thus, it never gets to the form validation stage of pieforms, bypassing our normal sesskey check.

This makes a Cross-Site Request Forgery (CSRF) attack possible, which is what Abdullah's video illustrates. The attacker puts together a form that will generate an HTTP request with all the same parameters as Mahara's own file upload process. If they can then trick a logged-in Mahara user into submitting this form in another tab, then they'll cause the user to upload a file of their choice.

With any other form, we include a "sesskey" value in a hidden variable, which matches a randomly generated key stored in the user's session. Then when the form is submitted, we verify that the sesskey that was passed back from the user's browser matches the sesskey in the session. However, because we're not getting to the validation step in the filebrowser upload process, the sesskey is not checked, and thus CSRF is possible.

The code that did this was added in 2009, so this vulnerability is likely present in all current versions of Mahara, and in all places where the filebrowser element is used (not just group files, but also individual files, institution files, and site files). Notably, this means an attacker could upload a file into the Site Files "Public" area, where it would be accessible by logged-out users outside of Mahara.

Aaron Wells (u-aaronw) wrote :

Hi Abdullah,

Thanks for the bug report! Would you like to have your name added to our security researchers wall?

https://wiki.mahara.org/wiki/Contributors#Security_researchers

Cheers,
Aaron

Aaron Wells (u-aaronw) wrote :

To replicate:

One way to replicate it is to create a form that will simulate a file upload. An easier way to check that the sesskey is being validated, though, is like this:

1. Log in to Mahara and go to "Content -> Files".

2. Using the Firefox (or Chrome) developer tools, open up a live view of the page's source code.

3. Find the hidden form variable with ID "files_sesskey".

4. Delete it, or change its value to "wrongsesskey".

5. Upload a file.

Expected result: The process should error out. Depending on how thorough the Javascript involved is, you may see this error message: "Invalid session key"

Actual result: The file upload finishes successfully

Aaron Wells (u-aaronw) wrote :

Patch for this issue: https://reviews.mahara.org/5050

abdullah (eye-magicme) wrote :

Hi, thanks for replay

Please add my name when ever are credit

Abdullah Hussam Gazi (https://twitter.com/Abdulahhusam)

And please add in release note

Are there CVE for this bug it is affect many version ?

Thanks .

Hello Abdullah,

I added you to https://wiki.mahara.org/wiki/Contributors#Mahara_code

We do always request CVE numbers and will give you credit there once the assignment has been made.

Cheers
Kristina

summary: - CSRF bug
+ Session key is not checked during file upload
abdullah (eye-magicme) wrote :

Thanks please notice me when the CVE number assignment has been made.

Hello Abdullah,

Once we have the CVE number, we will add it here to the Launchpad bug.

Cheers
Kristina

Aaron Wells (u-aaronw) on 2015-08-19
information type: Private Security → Public Security

Hello Abdullah,

We included a fix for this issue in our latest releases. See https://mahara.org/interaction/forum/topic.php?id=7334

Unfortunately, we don't yet have a CVE number assigned. Once we have it, we will add it here in Launchpad as well as on the forum entry.

Cheers
Kristina

abdullah (eye-magicme) wrote :

Thank you !

Herson Cruz (hersoncruz) on 2017-06-28
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers