Session key is not checked during file upload

Hello Abdullah,

Thank you for your report. Our team will review this and get back to you next week with an update.

Cheers
Kristina

I was able to replicate this bug. Essentially the problem is that the filebrowser Pieform element, in the event of a file upload, does all the necessary processing and returns a result message entirely in the pieform->get_value() stage (via pieform_element_filebrowser_get_value()). Thus, it never gets to the form validation stage of pieforms, bypassing our normal sesskey check.

This makes a Cross-Site Request Forgery (CSRF) attack possible, which is what Abdullah's video illustrates. The attacker puts together a form that will generate an HTTP request with all the same parameters as Mahara's own file upload process. If they can then trick a logged-in Mahara user into submitting this form in another tab, then they'll cause the user to upload a file of their choice.

With any other form, we include a "sesskey" value in a hidden variable, which matches a randomly generated key stored in the user's session. Then when the form is submitted, we verify that the sesskey that was passed back from the user's browser matches the sesskey in the session. However, because we're not getting to the validation step in the filebrowser upload process, the sesskey is not checked, and thus CSRF is possible.

The code that did this was added in 2009, so this vulnerability is likely present in all current versions of Mahara, and in all places where the filebrowser element is used (not just group files, but also individual files, institution files, and site files). Notably, this means an attacker could upload a file into the Site Files "Public" area, where it would be accessible by logged-out users outside of Mahara.

Hi Abdullah,

Thanks for the bug report! Would you like to have your name added to our security researchers wall?

https://wiki.mahara.org/wiki/Contributors#Security_researchers

Cheers,
Aaron

To replicate:

One way to replicate it is to create a form that will simulate a file upload. An easier way to check that the sesskey is being validated, though, is like this:

1. Log in to Mahara and go to "Content -> Files".

2. Using the Firefox (or Chrome) developer tools, open up a live view of the page's source code.

3. Find the hidden form variable with ID "files_sesskey".

4. Delete it, or change its value to "wrongsesskey".

5. Upload a file.

Expected result: The process should error out. Depending on how thorough the Javascript involved is, you may see this error message: "Invalid session key"

Actual result: The file upload finishes successfully

Patch for this issue: https://reviews.mahara.org/5050

Hi, thanks for replay

Please add my name when ever are credit

Abdullah Hussam Gazi (https://twitter.com/Abdulahhusam)

And please add in release note

Are there CVE for this bug it is affect many version ?

Thanks .

Hello Abdullah,

I added you to https://wiki.mahara.org/wiki/Contributors#Mahara_code

We do always request CVE numbers and will give you credit there once the assignment has been made.

Cheers
Kristina

Thanks please notice me when the CVE number assignment has been made.

Hello Abdullah,

Once we have the CVE number, we will add it here to the Launchpad bug.

Cheers
Kristina

Hello Abdullah,

We included a fix for this issue in our latest releases. See https://mahara.org/interaction/forum/topic.php?id=7334

Unfortunately, we don't yet have a CVE number assigned. Once we have it, we will add it here in Launchpad as well as on the forum entry.

Cheers
Kristina

Thank you !