Able to upload a virus file to Files section

Bug #1770535 reported by Robert Lyon on 2018-05-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Robert Lyon
Robert Lyon

Bug Description

If I try to upload the benign test virus file called "" from Mahara spots it and alerts user it is a virus

However, if I try to upload the file it lets me (which is bad) but understandable as the signature of the virus file can be hidden via compression. And a user could only be infected if they download the zip and extract it locally.

But if I then press the 'Decompress' button it extracts the zip file and doesn't complain. This is bad as all one needs to do to upload a virus is to wrap it in a zip file and then extract it and now they can trick another user to click on the file directly.

When importing a zip file via Importer and clamav is on it checks the files of the zip for viruses but when extracting a zip file in Files section it does not.

We need to tidy this up so that uploading a zip file gets checked properly as well.

CVE References

Robert Lyon (robertl-9) wrote :

Note to self:

Files that are in play
htdocs/lib/uploadmanager.php - holds function that does scan
htdocs/import/file/lib.php - looks to do clamav correctly
htdocs/artefact/file/extract.php- looks to not do clamav check

Robert Lyon (robertl-9) wrote :

I've begun a bug at:

Currently only looks at double checking a zip file for virus files if a user click the 'Decompress' button in Content -> Files section.

If a virus is found it moves the file to quarantine and deletes the file info from Mahara.

For the security announcement:

Virus scanner does not check Leap2A zip files

Vulnerability type: Upload of a virus-infected file

Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 can be used as medium to transmit viruses by placing infected files into a Leap2A archive and uploading that to Mahara. In contrast to other ZIP files that are uploaded, ClamAV (when activated) does not check Leap2A archives for viruses, allowing malicious files to be available for download. While files cannot be executed on Mahara itself, Mahara can be used to transfer such files to user computers.

Bug report:
CVE reference: CVE-2018-11196

Discoverer credit: Swe Zin Lynn, The Australian National University

Another scenario: If an infected file is exported as "File" format from Moodle to Mahara, it is successfully exported without any error/warning.

Ghada El-Zoghbi (ghada-z) wrote :

Just tried the last scenario reported (without the patch):

Scenario: If an infected file is exported as "File" format from Moodle to Mahara, it is successfully exported without any error/warning.

I can confirm that Mahara catches the virus when it's exported as 'File' (archive or plain file).

information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers