Introduction
While auditing the wider Moodle ecosystem for vulnerabilities, a path traversal issue was discovered in the popular MathType library. According to the Moodle plugins directory, there are approximately 5745 sites running the affected library.
The MathType library integrates with the following Learning Management Systems (LMS) and HTML editors:
- MathType for CKEditor 5:
- Node.js, PHP, Java
- MathType for CKEditor 4:
- PHP, ASP.NET, Java, Ruby on Rails:
- MathType for TinyMCE 5:
- Node.js, PHP, Java
- MathType for TinyMCE 4:
- PHP, ASP.NET, Java, Ruby on Rails
- MathType for WordPress
- MathType for Moodle
Our research primarily focused on the Moodle and PHP libraries, however it appears that the resource handler has been cross-compiled between multiple languages, and some variation of the handler was present in all the examined code bases, including that present in Blackboard (see below for PoC).
A resource handler was discovered within these libraries that takes parameters from the querystring and uses these to fetch files and resources that are meant to be displayed to the user.
It was found that no sanitisation occurred on parameters fetched from the URL, with four lines in the codebase being of particular concern:
$resource = $provider->getRequiredParameter('resourcefile');
$resourceLoader = $pluginBuilder->newResourceLoader();
header('Content-Type:' . $resourceLoader->getContentType($resource));
echo $resourceLoader->getcontent($resource);
As seen in the code snippet above, there is a lack of sanitisation occurring on the resource parameter. The getContentType function simply parses the extension and decides on how the content type will be rendered, with the base case being application/octet-stream.
As a result of this, when variables are parsed into the getContent method, potential attackers have the ability to fetch arbitrary files such as source code and environment variables simply by supplying the query parameter with the correct file path. Depending on the server configuration, attackers may be able to pivot further into the environment.
How It Can Be Exploited
A simple PoC for a path traversal vulnerability within vulnerable Moodle instances (using Wiris MathType library v7.28.0 and lower) can be constructed:
http://<urL>/filter/wiris/integration/resource.php?resourcefile=../../../../config.php
If the PoC was successful, then the user would be able have successfully downloaded the contents of the config.php file.
It was also discovered that Blackboard was also partially vulnerable to this issue, however for the most part, the Tomcat path normalisation function would prevent the resource handler from fetching files from outside the plugin root. In some configurations on older Tomcat servers, it may be possible to traverse further.
Blackboard payloads:
https://<blackboard-url>/webapps/vtbe-tinymce/app/resource?resourcefile=../../WEB-INF/web.xml
https://<blackboard-url>/webapps/vtbe-tinymce/app/resource?resourcefile=../../WEB-INF/bb-manifest.xml
https://<blackboard-url>/webapps/vtbe-tinymce/app/resource?resourcefile=../../WEB-INF/config/struts/struts-config.xml
https://<blackboard-url>/webapps/vtbe-tinymce/app/resource?resourcefile=../../spellcheck/editDictionary.jsp
Potential Impact
In the case of the Moodle exploit it is trivial to return the environment variables stored in the config.php file which may allow an attacker to retrieve the cleartext database credentials and other implementation secrets. Depending on the application, source code may also be possible to retrieve.
How to Fix It
Wiris has now completely deleted the resource handler code as seen in a pull request made on the 18th of May. To ensure that your applications are not affected by it, verify that the version of Wiris MathType library used is v7.28.1 and above.
Vulnerability Disclosure Timeline:
- 22/04/2022 Issue reported to Wiris.
- 18/05/2022 Resource Handler was deleted by Wiris.
- 16/06/2022 CVE-2022-31372 assigned.