Mahara Directory Traversal Vulnerability Allowing Unsafe Font Upload and Potential Code Execution

A directory traversal vulnerability has been identified in Mahara versions 21.10 prior to 21.10.6, 22.04 prior to 22.04.4, and 22.10 prior to 22.10.1. This vulnerability allows for unsafe font uploads in skin imports. By manipulating the font upload file to include path information, it is possible to traverse the server, access secure files, or execute code based on the payload. The issue arises from improper validation of file paths in the font upload process, enabling exploitation through crafted XML files that exploit the directory traversal flaw.

Impact

Exploitation of this vulnerability could lead to unauthorized access to secure files or execution of arbitrary code on the server, depending on the payload used.

Reproduction

To reproduce this vulnerability, create a skin import file that includes a font element with a 'file' sub-element. The 'file' sub-element should be crafted to include path traversal sequences that navigate up the directory structure, targeting a file within the Mahara 'htdocs' directory. Once the file is uploaded, the contents can be executed if the payload is crafted to exploit the server.

Remediation

Users are advised to update to Mahara versions 21.10.6, 22.04.4, 22.10.1, or 23.04.4. Mahara releases can be downloaded via the Mahara Subscriber Portal.