Session key is not checked during file upload
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Mahara |
High
|
Aaron Wells | ||
| 1.10 |
High
|
Unassigned | ||
| 1.9 |
High
|
Unassigned | ||
| 15.04 |
High
|
Unassigned | ||
| 15.10 |
High
|
Aaron Wells |
Bug Description
Hi this is Abdullah ,
I found CSRF make user upload files to any group without his know it can be used to attack admins to upload evil files .
PoC :
video
http://
the fix :
check sesskey is valid in (groupfiles.php)
I hope put my name in release note .
Are there a CVE for this bug ?
Thanks
Used mahara least version
CVE References
Kristina Hoeppner (kris-hoeppner) wrote : | #1 |
Changed in mahara: | |
importance: | Undecided → High |
assignee: | nobody → Aaron Wells (u-aaronw) |
milestone: | none → 15.10.0 |
status: | New → In Progress |
Aaron Wells (u-aaronw) wrote : | #2 |
I was able to replicate this bug. Essentially the problem is that the filebrowser Pieform element, in the event of a file upload, does all the necessary processing and returns a result message entirely in the pieform-
This makes a Cross-Site Request Forgery (CSRF) attack possible, which is what Abdullah's video illustrates. The attacker puts together a form that will generate an HTTP request with all the same parameters as Mahara's own file upload process. If they can then trick a logged-in Mahara user into submitting this form in another tab, then they'll cause the user to upload a file of their choice.
With any other form, we include a "sesskey" value in a hidden variable, which matches a randomly generated key stored in the user's session. Then when the form is submitted, we verify that the sesskey that was passed back from the user's browser matches the sesskey in the session. However, because we're not getting to the validation step in the filebrowser upload process, the sesskey is not checked, and thus CSRF is possible.
The code that did this was added in 2009, so this vulnerability is likely present in all current versions of Mahara, and in all places where the filebrowser element is used (not just group files, but also individual files, institution files, and site files). Notably, this means an attacker could upload a file into the Site Files "Public" area, where it would be accessible by logged-out users outside of Mahara.
Aaron Wells (u-aaronw) wrote : | #3 |
Hi Abdullah,
Thanks for the bug report! Would you like to have your name added to our security researchers wall?
https:/
Cheers,
Aaron
Aaron Wells (u-aaronw) wrote : | #4 |
To replicate:
One way to replicate it is to create a form that will simulate a file upload. An easier way to check that the sesskey is being validated, though, is like this:
1. Log in to Mahara and go to "Content -> Files".
2. Using the Firefox (or Chrome) developer tools, open up a live view of the page's source code.
3. Find the hidden form variable with ID "files_sesskey".
4. Delete it, or change its value to "wrongsesskey".
5. Upload a file.
Expected result: The process should error out. Depending on how thorough the Javascript involved is, you may see this error message: "Invalid session key"
Actual result: The file upload finishes successfully
Aaron Wells (u-aaronw) wrote : | #5 |
Patch for this issue: https:/
abdullah (eye-magicme) wrote : | #6 |
Hi, thanks for replay
Please add my name when ever are credit
Abdullah Hussam Gazi (https:/
And please add in release note
Are there CVE for this bug it is affect many version ?
Thanks .
Kristina Hoeppner (kris-hoeppner) wrote : | #7 |
Hello Abdullah,
I added you to https:/
We do always request CVE numbers and will give you credit there once the assignment has been made.
Cheers
Kristina
summary: |
- CSRF bug + Session key is not checked during file upload |
abdullah (eye-magicme) wrote : | #8 |
Thanks please notice me when the CVE number assignment has been made.
Kristina Hoeppner (kris-hoeppner) wrote : | #9 |
Hello Abdullah,
Once we have the CVE number, we will add it here to the Launchpad bug.
Cheers
Kristina
information type: | Private Security → Public Security |
Kristina Hoeppner (kris-hoeppner) wrote : | #10 |
Hello Abdullah,
We included a fix for this issue in our latest releases. See https:/
Unfortunately, we don't yet have a CVE number assigned. Once we have it, we will add it here in Launchpad as well as on the forum entry.
Cheers
Kristina
abdullah (eye-magicme) wrote : | #11 |
Thank you !
description: | updated |
Hello Abdullah,
Thank you for your report. Our team will review this and get back to you next week with an update.
Cheers
Kristina