Mahara

Unserialize untrusted data when importing skins

Bug #1508684 reported by Son Nguyen
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Critical
Unassigned
Mahara 16.10.0
15.04
Fix Released
Critical
Unassigned
Mahara 15.04.8
15.10
Fix Released
Critical
Son Nguyen
Mahara 15.10.4
16.04
Fix Released
Critical
Unassigned
Mahara 16.04.2

Bug Description

Version: 1.10, 15.04. 15.10, master
Platform: any

There is a unserialize vulnerability in skin import function

see line 200 in htdocs/skin/import.php

When importing the attached skin, you will see the error:

[WAR] ce (lib/web.php:3684) Object of class __PHP_Incomplete_Class could not be converted to string
Call stack (most recent first):
log_message("Object of class __PHP_Incomplete_Class could not b...", 8, true, true, "/var/www/mahara/master/htdocs/lib/web.php", 3684) at /var/www/mahara/master/htdocs/lib/errors.php:441
error(4096, "Object of class __PHP_Incomplete_Class could not b...", "/var/www/mahara/master/htdocs/lib/web.php", 3684, array(size 5)) at /var/www/mahara/master/htdocs/lib/web.php:3684
clean_css(object(__PHP_Incomplete_Class), true) at /var/www/mahara/master/htdocs/skin/import.php:200
importskinform_submit(object(Pieform), array(size 4)) at Unknown:0
call_user_func_array("importskinform_submit", array(size 2)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:537
Pieform->__construct(array(size 4)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:164
Pieform::process(array(size 4)) at /var/www/mahara/master/htdocs/lib/pieforms/pieform.php:71
pieform(array(size 4)) at /var/www/mahara/master/htdocs/skin/import.php:64

CVE References

Revision history for this message
Son Nguyen (ngson2000) wrote :
information type: Public → Private Security
Revision history for this message
Robert Lyon (robertl-9) wrote :

https://reviews.mahara.org/#/c/5579/

Kristina Hoeppner (kris-hoeppner)
no longer affects: mahara/1.9
no longer affects: mahara/1.10
Changed in mahara:
milestone: 16.04.1 → 16.10.0
Son Nguyen (ngson2000)
Changed in mahara:
status: Confirmed → Fix Committed
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/6677
Committed: https://git.mahara.org/mahara/mahara/commit/1f299954f3ffbc26c69e27f000daf8f0e97de457
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 1f299954f3ffbc26c69e27f000daf8f0e97de457
Author: Son Nguyen <email address hidden>
Date: Thu Oct 22 10:55:40 2015 +1300

Make sure imported custom skin xml entries are clean. Bug 1508684

behatnotneeded

Change-Id: I2e597d5931391e731baefa46d5f9d9ca2059ee10

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6679
Committed: https://git.mahara.org/mahara/mahara/commit/9d7701e80b24bdbaccb77ae7730ae9c504d1143b
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 9d7701e80b24bdbaccb77ae7730ae9c504d1143b
Author: Son Nguyen <email address hidden>
Date: Thu Oct 22 10:55:40 2015 +1300

Make sure imported custom skin xml entries are clean. Bug 1508684

behatnotneeded

Change-Id: I2e597d5931391e731baefa46d5f9d9ca2059ee10

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6678
Committed: https://git.mahara.org/mahara/mahara/commit/3f9514bdaa9b70457a404cd1b9aa502c261aeef2
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit 3f9514bdaa9b70457a404cd1b9aa502c261aeef2
Author: Son Nguyen <email address hidden>
Date: Thu Oct 22 10:55:40 2015 +1300

Make sure imported custom skin xml entries are clean. Bug 1508684

behatnotneeded

Change-Id: I2e597d5931391e731baefa46d5f9d9ca2059ee10

Robert Lyon (robertl-9)
information type: Private Security → Public Security
Robert Lyon (robertl-9)
Changed in mahara:
status: Fix Committed → Fix Released
sa (bbbrrr800)
Changed in mahara:
assignee: Son Nguyen (ngson2000) → sa (bbbrrr800)
Kristina Hoeppner (kris-hoeppner)
Changed in mahara:
assignee: sa (bbbrrr800) → nobody
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.