Mahara

Should not be able to execute CLI scripts from the web

Bug #1387903 reported by Aaron Wells on 2014-10-30

262

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	High	Aaron Wells	Mahara 15.04.0
1.10	Fix Released	High	Unassigned	Mahara 1.10.1
1.8	Fix Released	High	Unassigned	Mahara 1.8.6
1.9	Fix Released	High	Unassigned	Mahara 1.9.4
15.04	Fix Released	High	Aaron Wells	Mahara 15.04.0

Bug Description

Mahara includes a few scripts that are meant to be executed only from the command line (most notably the ones under /admin/cli. Currently, though, there's no check to make sure these are being accessed from the command-line rather than from the web server!

This is a security flaw. CLI scripts are intended to be accessible only by admins with CLI access to the server.

Since we put "define('CLI', 1);" at the top of every CLI script, it should be easy to safeguard against this.

Tags:

CVE References

2014-8695

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2014-10-30:

Credit: This bug was reported to me by Aaron Barnes at Catalyst IT.

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2014-10-31:

Patch for master: https://reviews.mahara.org/3889

Revision history for this message

Robert Lyon (robertl-9) wrote on 2014-11-02:

Hi Aaron,

On reading this: http://php.net/manual/en/function.php-sapi-name.php#89858 it sounds like checking for 'cli' with php_sapi_name() may return a false negative when php_cgi is in use.

Is that something we need to worry about? Do we need a more robust check to make sure the CLI scripts are run via commandline?

Cheers

Robert

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2014-11-02:

Hi Robert,

Nah, a false negative is fine. The CLI is assumed to be more secure than the HTTP interface, so a CLI masquerading as HTTP is not a security problem.

If, as that comment mentions, someone has their server set up so that /usr/bin/php is an alias to the CGI script instead of the PHP CLI executable, well, they won't be able to run the CLI installer or upgrader, but that's because their system is misconfigured.

Cheers,
Aaron

Robert Lyon (robertl-9) on 2014-11-25

information type:

Private Security → Public Security

Robert Lyon (robertl-9) on 2015-04-17

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.