Mahara

Path traversal leads to unauthenticated HTML file disclosure

Bug #1944979 reported by Dominic
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Unassigned
Mahara 21.10.0
20.04
Fix Released
High
Unassigned
Mahara 20.04.5
20.10
Fix Released
High
Unassigned
Mahara 20.10.3
21.04
Fix Released
High
Unassigned
Mahara 21.04.2

Bug Description

Hello again! Mahara's help API blocks / characters but replaces the - with / in the `page` parameter (see https://git.mahara.org/mahara/mahara/-/blob/master/htdocs/lib/mahara.php#L376) and this allows unauthenticated path traversal. The thing that prevents this from being a really bad vulnerability is that the application appends a .html to the path so the files that can be leaked are quite limited. However, the export feature leaves potentially-private user data on disk... in .html format!

To reproduce, visit http://localhost:6142/mahara/json/help.php?plugintype=core&pluginname=view&page=..-..-..-..-..-js-tinymce-plugins-mathslate-help

It will show the contents of the tinymce plugin's help.html file that lives in the Mahara directory structure.

The vulnerable code mentioned above is in the `get_helpfile_location` function.

```php
    if ($page) {
        $pagebits = explode('-', $page);
        $file = array_pop($pagebits) . '.html';
        if ($plugintype != 'core') {
            $subdir .= 'pages/' . join('/', $pagebits) . '/';
        }
        else {
            $subdir .= 'pages/' . $pluginname . '/' . join('/', $pagebits) . '/';
        }
    }
```

This "split on - and join with /" logic allows the path traversal. The final path should be checked to make sure it's still inside the help/ directory.

The real impact of this vulnerability comes from the fact that after using the export function (http://localhost:6142/mahara/export/index.php) the HTML data of a user remains on disk for a while.

```shell
root@692678e7a88b:/# find /mahara/data/ -name '*.html'
/mahara/data/export/1/1632482909/HTML/views/21_Untitled-v.5/index.html
/mahara/data/export/1/1632482909/HTML/views/8_Untitled-v.2-scrip-alert-1-script-/index.html
/mahara/data/export/1/1632482909/HTML/views/9_Untitled-v.3/index.html
/mahara/data/export/1/1632482909/HTML/views/26_Untitled-v.2-scrip-alert-1-script-/index.html
/mahara/data/export/1/1632482909/HTML/views/30_Untitled-v.6/index.html
/mahara/data/export/1/1632482909/HTML/views/29_Untitled-v.5/index.html
/mahara/data/export/1/1632482909/HTML/views/28_Untitled-v.4/index.html
/mahara/data/export/1/1632482909/HTML/views/6_Profile-page/index.html
/mahara/data/export/1/1632482909/HTML/views/20_Untitled-v.2/index.html
/mahara/data/export/1/1632482909/HTML/views/25_Untitled-v.2/index.html
/mahara/data/export/1/1632482909/HTML/views/14_Untitled-v.4/index.html
/mahara/data/export/1/1632482909/HTML/views/27_Untitled-v.3/index.html
/mahara/data/export/1/1632482909/HTML/index.html
/mahara/data/export/1/1632482909/HTML/content/blog/Admin-Account's-Journal/index.html
/mahara/data/export/1/1632482909/HTML/content/internal/index.html
/mahara/data/export/1/1632482909/HTML/content/plans/aabb/index.html
/mahara/data/export/1/1632482909/HTML/content/plans/whatever/index.html
/mahara/data/export/1/1632482909/HTML/content/resume/index.html
/mahara/data/export/1/1632482909/export_info/files/Import folder 2021-09-17 14:26:19/index.html
/mahara/data/export/1/1632482909/export_info/files/Import folder 2021-09-17 14:26:19/Cover images/index.html
/mahara/data/export/1/1632482909/export_info/files/index.html
/mahara/data/export/1/1632482909/export_info/files/Cover images/index.html
```

Leaking it would require getting the unix timestamp in the path right but still not impossible if there's no rate-limiting in place. Getting to the base `/HTML/index.html` file would reveal the names of the other files they don't need to be guessed.

Suggested CVSS: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 3.7

CVE References

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Hi Dominic,

Thank you for this new potential security vulnerability. We'll review it and get back to you within 10 business days with next steps.

Thank you
Kristina

Revision history for this message
Robert Lyon (robertl-9) wrote :

Hi Dominic,

Thank you for this security report

A patch is underway at https://reviews.mahara.org/#/c/12037/ for this problem.

The patch will become public once it's been merged to the codebase

Cheers
Robert

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12133
Committed: https://git.mahara.org/mahara/mahara/commit/4b9a1ebcab4dbc3334fe2ddc157c106413bc7898
Submitter: Robert Lyon (<email address hidden>)
Branch: main

commit 4b9a1ebcab4dbc3334fe2ddc157c106413bc7898
Author: Robert Lyon <email address hidden>
Date: Mon Sep 27 17:12:42 2021 +1300

Security bug 1944979: Able to create a transversible help path

To get to files outside the webroot
These files will need to be .html files for the exploit to work

This patch tries to find the real path for the file and checks to make
sure it's within the webroot and contains 'help/page/' as part of it's
path.

Change-Id: I1c782f2a63e93b7da30ad62cb0acddab8dd75497
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "21.10_DEV" branch: https://reviews.mahara.org/12198

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12198
Committed: https://git.mahara.org/mahara/mahara/commit/f8d64e621af581902de82c8ec76f0283e4495398
Submitter: Robert Lyon (<email address hidden>)
Branch: 21.10_DEV

commit f8d64e621af581902de82c8ec76f0283e4495398
Author: Robert Lyon <email address hidden>
Date: Mon Sep 27 17:12:42 2021 +1300

Security bug 1944979: Able to create a transversible help path

To get to files outside the webroot
These files will need to be .html files for the exploit to work

This patch tries to find the real path for the file and checks to make
sure it's within the webroot and contains 'help/page/' as part of it's
path.

Change-Id: I1c782f2a63e93b7da30ad62cb0acddab8dd75497
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 4b9a1ebcab4dbc3334fe2ddc157c106413bc7898)

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "21.04_STABLE" branch: https://reviews.mahara.org/12199

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "20.10_STABLE" branch: https://reviews.mahara.org/12200

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "20.04_STABLE" branch: https://reviews.mahara.org/12201

Kristina Hoeppner (kris-hoeppner)
no longer affects: mahara/21.10
Robert Lyon (robertl-9)
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12199
Committed: https://git.mahara.org/mahara/mahara/commit/930520d2268c37719d11696b8df37d3ada9fec8d
Submitter: Gold (<email address hidden>)
Branch: 21.04_STABLE

commit 930520d2268c37719d11696b8df37d3ada9fec8d
Author: Robert Lyon <email address hidden>
Date: Mon Sep 27 17:12:42 2021 +1300

Security bug 1944979: Able to create a transversible help path

To get to files outside the webroot
These files will need to be .html files for the exploit to work

This patch tries to find the real path for the file and checks to make
sure it's within the webroot and contains 'help/page/' as part of it's
path.

Change-Id: I1c782f2a63e93b7da30ad62cb0acddab8dd75497
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 4b9a1ebcab4dbc3334fe2ddc157c106413bc7898)
(cherry picked from commit f8d64e621af581902de82c8ec76f0283e4495398)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12200
Committed: https://git.mahara.org/mahara/mahara/commit/4d747342af12a50c078b3e00a74715f016ddbf0d
Submitter: Robert Lyon (<email address hidden>)
Branch: 20.10_STABLE

commit 4d747342af12a50c078b3e00a74715f016ddbf0d
Author: Robert Lyon <email address hidden>
Date: Mon Sep 27 17:12:42 2021 +1300

Security bug 1944979: Able to create a transversible help path

To get to files outside the webroot
These files will need to be .html files for the exploit to work

This patch tries to find the real path for the file and checks to make
sure it's within the webroot and contains 'help/page/' as part of it's
path.

Change-Id: I1c782f2a63e93b7da30ad62cb0acddab8dd75497
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 4b9a1ebcab4dbc3334fe2ddc157c106413bc7898)
(cherry picked from commit f8d64e621af581902de82c8ec76f0283e4495398)

Revision history for this message
Robert Lyon (robertl-9) wrote :

For the security forum post:

Vulnerability type: Path traversal
Attack type: Local
Impact: Access escalation

Affected components: The help icon for 'page help'
Attack vectors: If a person alters the path to the page help file they can traverse to find other .html files outside the site's webroot and potentially find sensitive information.

Suggested description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, addjusting the path component for the page help file could cause seeing html files that you are not allowed to access.

Reported by: Dominic Couture
Bug report: https://bugs.launchpad.net/mahara/+bug/1944979
CVE reference: TBC

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12201
Committed: https://git.mahara.org/mahara/mahara/commit/1a30e5dbbbec8176884d416a6a0a8acf2cec675b
Submitter: Robert Lyon (<email address hidden>)
Branch: 20.04_STABLE

commit 1a30e5dbbbec8176884d416a6a0a8acf2cec675b
Author: Robert Lyon <email address hidden>
Date: Mon Sep 27 17:12:42 2021 +1300

Security bug 1944979: Able to create a transversible help path

To get to files outside the webroot
These files will need to be .html files for the exploit to work

This patch tries to find the real path for the file and checks to make
sure it's within the webroot and contains 'help/page/' as part of it's
path.

Change-Id: I1c782f2a63e93b7da30ad62cb0acddab8dd75497
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 4b9a1ebcab4dbc3334fe2ddc157c106413bc7898)
(cherry picked from commit f8d64e621af581902de82c8ec76f0283e4495398)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.