Session key is not checked during file upload

Bug #1480329 reported by abdullah on 2015-07-31
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Aaron Wells
Aaron Wells

Bug Description

Hi this is Abdullah ,

I found CSRF make user upload files to any group without his know it can be used to attack admins to upload evil files .

PoC :


the fix :

check sesskey is valid in (groupfiles.php)

I hope put my name in release note .

Are there a CVE for this bug ?


Used mahara least version

CVE References

Hello Abdullah,

Thank you for your report. Our team will review this and get back to you next week with an update.


Aaron Wells (u-aaronw) on 2015-08-05
Changed in mahara:
importance: Undecided → High
assignee: nobody → Aaron Wells (u-aaronw)
milestone: none → 15.10.0
status: New → In Progress
Aaron Wells (u-aaronw) wrote :

I was able to replicate this bug. Essentially the problem is that the filebrowser Pieform element, in the event of a file upload, does all the necessary processing and returns a result message entirely in the pieform->get_value() stage (via pieform_element_filebrowser_get_value()). Thus, it never gets to the form validation stage of pieforms, bypassing our normal sesskey check.

This makes a Cross-Site Request Forgery (CSRF) attack possible, which is what Abdullah's video illustrates. The attacker puts together a form that will generate an HTTP request with all the same parameters as Mahara's own file upload process. If they can then trick a logged-in Mahara user into submitting this form in another tab, then they'll cause the user to upload a file of their choice.

With any other form, we include a "sesskey" value in a hidden variable, which matches a randomly generated key stored in the user's session. Then when the form is submitted, we verify that the sesskey that was passed back from the user's browser matches the sesskey in the session. However, because we're not getting to the validation step in the filebrowser upload process, the sesskey is not checked, and thus CSRF is possible.

The code that did this was added in 2009, so this vulnerability is likely present in all current versions of Mahara, and in all places where the filebrowser element is used (not just group files, but also individual files, institution files, and site files). Notably, this means an attacker could upload a file into the Site Files "Public" area, where it would be accessible by logged-out users outside of Mahara.

Aaron Wells (u-aaronw) wrote :

Hi Abdullah,

Thanks for the bug report! Would you like to have your name added to our security researchers wall?


Aaron Wells (u-aaronw) wrote :

To replicate:

One way to replicate it is to create a form that will simulate a file upload. An easier way to check that the sesskey is being validated, though, is like this:

1. Log in to Mahara and go to "Content -> Files".

2. Using the Firefox (or Chrome) developer tools, open up a live view of the page's source code.

3. Find the hidden form variable with ID "files_sesskey".

4. Delete it, or change its value to "wrongsesskey".

5. Upload a file.

Expected result: The process should error out. Depending on how thorough the Javascript involved is, you may see this error message: "Invalid session key"

Actual result: The file upload finishes successfully

Aaron Wells (u-aaronw) wrote :

Patch for this issue:

abdullah (eye-magicme) wrote :

Hi, thanks for replay

Please add my name when ever are credit

Abdullah Hussam Gazi (

And please add in release note

Are there CVE for this bug it is affect many version ?

Thanks .

Hello Abdullah,

I added you to

We do always request CVE numbers and will give you credit there once the assignment has been made.


summary: - CSRF bug
+ Session key is not checked during file upload
abdullah (eye-magicme) wrote :

Thanks please notice me when the CVE number assignment has been made.

Hello Abdullah,

Once we have the CVE number, we will add it here to the Launchpad bug.


Aaron Wells (u-aaronw) on 2015-08-19
information type: Private Security → Public Security

Hello Abdullah,

We included a fix for this issue in our latest releases. See

Unfortunately, we don't yet have a CVE number assigned. Once we have it, we will add it here in Launchpad as well as on the forum entry.


abdullah (eye-magicme) wrote :

Thank you !

Herson Cruz (hersoncruz) on 2017-06-28
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers