Security issue: File / folder name not being escaped correctly in filebrowser
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| Mahara | ||||||
| 19.04 |
Fix Released
|
High
|
Unassigned | |||
| 19.10 |
Fix Released
|
High
|
Unassigned | |||
| 20.04 |
Fix Released
|
High
|
Unassigned | |||
| 20.10 |
Fix Released
|
High
|
Robert Lyon | |||
Bug Description
In your browser with the debug console visible to see javascript output
Have a site and go to the Create -> Files page
Upload an image and then edit it and change the
name: Image<script>
description: This is Image<script>
Create a new folder called:
Folder<
Go into the new folder and upload another file
Problem 1 you see 'bad folder!' in the console bar
Create a page and add an image block to the page and select the image with bad name
Problem 2 you see 'bad name!' in console bar
Save block and then edit it again
Problem 3 you see 'bad name!' in console bar again
Add the folder block to the page
Problem 4 you see 'bad folder!' in the console bar
CVE References
| Robert Lyon (robertl-9) wrote | #1 |
| Robert Lyon (robertl-9) wrote | #2 |
| information type: | Private Security → Public Security |
| Changed in mahara: | |
| milestone: | 20.10.0 → none |
| no longer affects: | mahara |
This is most likely an issue in the group / institution / site areas as well as they all use the same js files to do the filebrowser so when it comes to testing / verifying do check there as well