Unserialize untrusted data when importing skins

Bug #1508684 reported by Son Nguyen on 2015-10-21
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Critical
Unassigned
15.04
Critical
Unassigned
15.10
Critical
Son Nguyen
16.04
Critical
Unassigned

Bug Description

Version: 1.10, 15.04. 15.10, master
Platform: any

There is a unserialize vulnerability in skin import function

see line 200 in htdocs/skin/import.php

When importing the attached skin, you will see the error:

[WAR] ce (lib/web.php:3684) Object of class __PHP_Incomplete_Class could not be converted to string
Call stack (most recent first):
log_message("Object of class __PHP_Incomplete_Class could not b...", 8, true, true, "/var/www/mahara/master/htdocs/lib/web.php", 3684) at /var/www/mahara/master/htdocs/lib/errors.php:441
error(4096, "Object of class __PHP_Incomplete_Class could not b...", "/var/www/mahara/master/htdocs/lib/web.php", 3684, array(size 5)) at /var/www/mahara/master/htdocs/lib/web.php:3684
clean_css(object(__PHP_Incomplete_Class), true) at /var/www/mahara/master/htdocs/skin/import.php:200
importskinform_submit(object(Pieform), array(size 4)) at Unknown:0
call_user_func_array("importskinform_submit", array(size 2)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:537
Pieform->__construct(array(size 4)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:164
Pieform::process(array(size 4)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:71
pieform(array(size 4)) at /var/www/mahara/master/htdocs/skin/import.php:64

CVE References

Son Nguyen (ngson2000) wrote :
information type: Public → Private Security
no longer affects: mahara/1.9
no longer affects: mahara/1.10
Changed in mahara:
milestone: 16.04.1 → 16.10.0
Son Nguyen (ngson2000) on 2016-06-19
Changed in mahara:
status: Confirmed → Fix Committed

Reviewed: https://reviews.mahara.org/6677
Committed: https://git.mahara.org/mahara/mahara/commit/1f299954f3ffbc26c69e27f000daf8f0e97de457
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 1f299954f3ffbc26c69e27f000daf8f0e97de457
Author: Son Nguyen <email address hidden>
Date: Thu Oct 22 10:55:40 2015 +1300

Make sure imported custom skin xml entries are clean. Bug 1508684

behatnotneeded

Change-Id: I2e597d5931391e731baefa46d5f9d9ca2059ee10

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6679
Committed: https://git.mahara.org/mahara/mahara/commit/9d7701e80b24bdbaccb77ae7730ae9c504d1143b
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 9d7701e80b24bdbaccb77ae7730ae9c504d1143b
Author: Son Nguyen <email address hidden>
Date: Thu Oct 22 10:55:40 2015 +1300

Make sure imported custom skin xml entries are clean. Bug 1508684

behatnotneeded

Change-Id: I2e597d5931391e731baefa46d5f9d9ca2059ee10

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6678
Committed: https://git.mahara.org/mahara/mahara/commit/3f9514bdaa9b70457a404cd1b9aa502c261aeef2
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit 3f9514bdaa9b70457a404cd1b9aa502c261aeef2
Author: Son Nguyen <email address hidden>
Date: Thu Oct 22 10:55:40 2015 +1300

Make sure imported custom skin xml entries are clean. Bug 1508684

behatnotneeded

Change-Id: I2e597d5931391e731baefa46d5f9d9ca2059ee10

Robert Lyon (robertl-9) on 2016-07-11
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
status: Fix Committed → Fix Released
sa (bbbrrr800) on 2018-09-14
Changed in mahara:
assignee: Son Nguyen (ngson2000) → sa (bbbrrr800)
Changed in mahara:
assignee: sa (bbbrrr800) → nobody
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments