Security Alert

Severity: High
Category: Arbitrary Code Execution by Privileged Users
Affected Projects: edx-platform
Reporter: Third-party Security Auditor
Permanent URL: https://open.edx.org/CVE-2015-5601

During a scheduled, third-party security audit of the edx-platform code it was discovered that a bug allowed certain categories of privileged users to execute arbitrary code as the user of the running process.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-5601 to this issue. This is an entry on the CVE list (http://cve.mitre.org), which standardizes names for security problems.

More Information

The issue is in the course import endpoint, which accepts a .tar.gz file upload. It’s possible to craft a tar file that extracts files under the edx-platform directory, rather than the temp directory  that the app intends to use (see below for details). Since there are subdirectories of edx-platform in the python library path, “import foo” statements will look for “foo.py” in these directories. An attacker can upload an appropriately named python file to one of those directories, and the next time the application restarts, it will be imported and run.

The underlying issue is in the tar file processing. The application is careful to disallow files and symlinks which use upward traversal or absolute paths to point outside the extraction directory. However, these checks, in “extract_tar.py”, incorrectly assume that the extraction directory is “.”, which resolves to “/edx/app/edxapp/edx-platform”; they should use the actual extraction directory instead.

The actual extraction occurs in a course-specific subdirectory of “/edx/var/edxapp/data”, but symlinks which point to subdirectories of “edx-platform” can be created, and subsequent files can be extracted to them.

The bug was fixed in this commit.