Mahara

Able to upload a virus file to Files section

Bug #1770535 reported by Robert Lyon on 2018-05-11

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	High	Robert Lyon	Mahara 18.10.0
17.04	Fix Released	High	Unassigned	Mahara 17.04.8
17.10	Fix Released	High	Unassigned	Mahara 17.10.5
18.04	Fix Released	High	Unassigned	Mahara 18.04.1
18.10	Fix Released	High	Robert Lyon	Mahara 18.10.0

Bug Description

If I try to upload the benign test virus file called "eicar.com" from https://www.ikarussecurity.com/support/virus-info/test-viruses/ Mahara spots it and alerts user it is a virus

However, if I try to upload the eicar_com.zip file it lets me (which is bad) but understandable as the signature of the virus file can be hidden via compression. And a user could only be infected if they download the zip and extract it locally.

But if I then press the 'Decompress' button it extracts the zip file and doesn't complain. This is bad as all one needs to do to upload a virus is to wrap it in a zip file and then extract it and now they can trick another user to click on the file directly.

When importing a zip file via Importer and clamav is on it checks the files of the zip for viruses but when extracting a zip file in Files section it does not.

We need to tidy this up so that uploading a zip file gets checked properly as well.

CVE References

2018-11196

Revision history for this message

Robert Lyon (robertl-9) wrote on 2018-05-11:

Note to self:

Files that are in play
htdocs/lib/uploadmanager.php - holds function that does scan
htdocs/import/file/lib.php - looks to do clamav correctly
htdocs/artefact/file/extract.php- looks to not do clamav check

Revision history for this message

Robert Lyon (robertl-9) wrote on 2018-05-12:

I've begun a bug at: https://reviews.mahara.org/#/c/8856/

Currently only looks at double checking a zip file for virus files if a user click the 'Decompress' button in Content -> Files section.

If a virus is found it moves the file to quarantine and deletes the file info from Mahara.

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2018-05-16:

For the security announcement:

Virus scanner does not check Leap2A zip files

Vulnerability type: Upload of a virus-infected file

Description:
Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 can be used as medium to transmit viruses by placing infected files into a Leap2A archive and uploading that to Mahara. In contrast to other ZIP files that are uploaded, ClamAV (when activated) does not check Leap2A archives for viruses, allowing malicious files to be available for download. While files cannot be executed on Mahara itself, Mahara can be used to transfer such files to user computers.

Bug report: https://bugs.launchpad.net/bugs/1770535
CVE reference: CVE-2018-11196 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11196

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2018-05-17:

Discoverer credit: Swe Zin Lynn, The Australian National University

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2018-05-17:

Another scenario: If an infected file is exported as "File" format from Moodle to Mahara, it is successfully exported without any error/warning.

Revision history for this message

Ghada El-Zoghbi (ghada-z) wrote on 2018-05-21:

Just tried the last scenario reported (without the patch):

Scenario: If an infected file is exported as "File" format from Moodle to Mahara, it is successfully exported without any error/warning.

I can confirm that Mahara catches the virus when it's exported as 'File' (archive or plain file).

Cecilia Vela Gurovic (ceciliavg) on 2018-05-30

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.