Avoid command injection when PDF bulk export is enabled

Bug #1949527 reported by Robert Lyon
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Robert Lyon
20.10
Fix Released
High
Unassigned
21.04
Fix Released
High
Unassigned
21.10
Fix Released
High
Unassigned
22.04
Fix Released
High
Robert Lyon

Bug Description

The patch https://git.mahara.org/mahara/mahara/-/commit/6c15801d04887e482b1f490d8acf6f7c52661eea
doesn't avoid a filename with backticks and a simple command like
`shutdown` could still be executed.

I have to say I didn't test it
though but I wanted to give a heads-up. I think exploitation is fairly
limited now but it could still be used as a denial of service.

I would highly recommend using a whitelist instead of trying to remove
all special characters, something like preg_replace('/[^a-zA-Z0-9_]/',
'-', ...) would make it easier and wouldn't require an exhaustive list
of all potentially malicious characters.

All the best,
Dominic

This is a follow on from Bug 1942903

CVE References

Revision history for this message
Robert Lyon (robertl-9) wrote :
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Follow-on from https://mahara.org/interaction/forum/topic.php?id=8953 - use same CVE and description as there for this issue here as it is hardening. Dominic stays for the credit. We'll also need to update MITRE with the additional bug number for the CVE once this bug has been released.

Robert Lyon (robertl-9)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.