General developer forum

preventing users from uploading malicious files from the code level

 
Picture of John m
preventing users from uploading malicious files from the code level
 

Hi


lately there have been some malicious attacks on many sites using moodle.

authenticated users are uploading .exe files as attachments to different modules, for example "forum".

other users click the attached .exe file and that file turns out to be a trojan.

same is happening with other executable file types like .js even though of course those aren't trojans, just contain other less malicious code.

also, those users keep uploading .php, because it's possible but looks like moodle takes actions to disable the options for them to be executed on server.

in the code I see moodle's default allowed file type is '*'.

this seems like a security hole.

I think this is the known vulnerability of it:

https://www.cvedetails.com/cve/CVE-2016-9186

https://www.cvedetails.com/cve/CVE-2016-9187

https://packetstormsecurity.com/files/139466/Moodle-CMS-3.1.2-Cross-Site-Scripting-File-Upload.html

https://www.securityfocus.com/bid/94191/info


was this addressed in the code moodle 3.5?

is there a patch for it for moodle 3.1.x and later?
if moodle didn't fix this and don't intend to - where is the best place in the code for me to change this so that no matter what - no user will be able to add an .exe file?
I don't to intent to rely on clam antivirus or imperva or any other layer of protection to keep me safe.
I have to change this in the code level.

 
Average of ratings: -
Tim at Lone Pine Koala Sanctuary
Re: preventing users from uploading malicious files from the code level
Core developersDocumentation writersParticularly helpful MoodlersPlugin developers

Do you have virus scanning set up in your Moodle install? https://docs.moodle.org/35/en/Antivirus_plugins

 
Average of ratings: Useful (1)
Picture of John m
Re: preventing users from uploading malicious files from the code level
 

yes, I have ClamAV antivirus there.
but as I wrote, I really don't want to rely on antivirus for this.
I believe it's important to prevent this in the moodle php code as it looks to me as a code vulnerability, and it ain't difficult to fix it, I just don't want to make core changes if someone is already did it or working on it in the moodle team.

 
Average of ratings: -
Picture of Mark Johnson
Re: preventing users from uploading malicious files from the code level
Core developersParticularly helpful MoodlersPlugin developers

Hi John,

I'm not certain that those CVEs are looking at this in the same way that you are.  They seem to be talking about a use uploading a file then causing it to be executed on the server in some way ("unspecified vectors"), rather than tricking other users into downloading malicious files.

If you believe this is a security issue, please raise an issue on the tracker. I found MDL-54716 which is somewhat related to what you're asking, although the response suggests raising separate issues for the specific modules that need changes.

More generally, while restricting .exe file uploads might help with your immediate problem, to be sure of keeping your users safe, you will need to rely on some sort of anti-virus scanning of uploads too.  Not having a .exe extension doesn't guarantee a file isn't executable, or malicious!

 
Average of ratings: -
Picture of John m
Re: preventing users from uploading malicious files from the code level
 
I agree that those CVE are talking about executing uploaded malicious files from server and not uploading them and downloading by other uses - but the vulnerability that allows authenticated users to upload malicious files is the common problematic issue.

also I don't rely only on the code in this issue, but I am as I wrote in my first post and the previous one - I AM already using antivirus and I don't believe it's enough.
the thing is I don't won't to rely on any one single layer of protection but use multiply ones.
codewise I feel obligated to restrict the file types a user can upload and not allow all.

is it safe to say that moodle's team doesn't see this issue as a vulnerability and does not intent to address it? that would be fine with me... I just need to know so I can move on to either create a jira issue or make my own code that does the restriction.

 
Average of ratings: Useful (1)
Picture of Conn Warwicker
Re: preventing users from uploading malicious files from the code level
Core developersParticularly helpful MoodlersPlugin developers

I think you might have to do it yourself, it's been mentioned for a few years and I don't think they ever implemented a whitelist.

If you look at /repository/upload/lib.php

I believe the process_upload() function in there is called whenever someone uploads a file, and there is already some code in there for checking mimetypes, so it should just be a case of adding in an extra line or so, to look for, say a $CFG->allowed_types variable, or a config setting if you want to make an actual form for it in Site Admin.

 
Average of ratings: -