Path traversal leads to unauthenticated HTML file disclosure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Unassigned | ||
20.04 |
Fix Released
|
High
|
Unassigned | ||
20.10 |
Fix Released
|
High
|
Unassigned | ||
21.04 |
Fix Released
|
High
|
Unassigned |
Bug Description
Hello again! Mahara's help API blocks / characters but replaces the - with / in the `page` parameter (see https:/
To reproduce, visit http://
It will show the contents of the tinymce plugin's help.html file that lives in the Mahara directory structure.
The vulnerable code mentioned above is in the `get_helpfile_
```php
if ($page) {
$pagebits = explode('-', $page);
$file = array_pop(
if ($plugintype != 'core') {
$subdir .= 'pages/' . join('/', $pagebits) . '/';
}
else {
$subdir .= 'pages/' . $pluginname . '/' . join('/', $pagebits) . '/';
}
}
```
This "split on - and join with /" logic allows the path traversal. The final path should be checked to make sure it's still inside the help/ directory.
The real impact of this vulnerability comes from the fact that after using the export function (http://
```shell
root@692678e7a8
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
/mahara/
```
Leaking it would require getting the unix timestamp in the path right but still not impossible if there's no rate-limiting in place. Getting to the base `/HTML/index.html` file would reveal the names of the other files they don't need to be guessed.
Suggested CVSS: AV:N/AC:
CVE References
no longer affects: | mahara/21.10 |
information type: | Private Security → Public Security |
Hi Dominic,
Thank you for this new potential security vulnerability. We'll review it and get back to you within 10 business days with next steps.
Thank you
Kristina