-
-
Notifications
You must be signed in to change notification settings - Fork 221
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GHSA SYNC: 2 brand new advisories (#817)
--------- Co-authored-by: Postmodern <[email protected]>
- Loading branch information
1 parent
ebac396
commit 951c00b
Showing
2 changed files
with
133 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| --- | ||
| gem: camaleon_cms | ||
| ghsa: 7x4w-cj9r-h4v9 | ||
| url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 | ||
| title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185) | ||
| date: 2024-09-18 | ||
| description: | | ||
| The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) | ||
| defined inside of the MediaController class do not check whether a | ||
| given path is inside a certain path (e.g. inside the media folder). | ||
| If an attacker performed an account takeover of an administrator | ||
| account (See: GHSL-2024-184) they could delete arbitrary files or | ||
| folders on the server hosting Camaleon CMS. The | ||
| [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) | ||
| action might make arbitrary file writes (similar impact to GHSL-2024-182) | ||
| for any authenticated user possible, but it doesn't seem to work currently. | ||
| Arbitrary file deletion can be exploited with following code path: | ||
| The parameter folder flows from the actions method: | ||
| ```ruby | ||
| def actions | ||
| authorize! :manage, :media if params[:media_action] != 'crop_url' | ||
| params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present? | ||
| case params[:media_action] | ||
| [..] | ||
| when 'del_file' | ||
| cama_uploader.delete_file(params[:folder].gsub('//', '/')) | ||
| render plain: '' | ||
| ``` | ||
| into the method delete_file of the CamaleonCmsLocalUploader | ||
| class (when files are uploaded locally): | ||
| ```ruby | ||
| def delete_file(key) | ||
| file = File.join(@root_folder, key) | ||
| FileUtils.rm(file) if File.exist? file | ||
| @instance.hooks_run('after_delete', key) | ||
| get_media_collection.find_by_key(key).take.destroy | ||
| end | ||
| ``` | ||
| Where it is joined in an unchecked manner with the root folder and | ||
| then deleted. | ||
| **Proof of concept** | ||
| The following request would delete the file README.md in the top | ||
| folder of the Ruby on Rails application. (The values for auth_token, | ||
| X-CSRF-Token and _cms_session would also need to be replaced with | ||
| authenticated values in the curl command below) | ||
| ``` | ||
| curl --path-as-is -i -s -k -X $'POST' \ | ||
| -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \ | ||
| -b $'auth_token=[..]; _cms_session=[..]' \ | ||
| --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=.. | ||
| 2F.. | ||
| 2F.. | ||
| 2FREADME.md&media_action=del_file' \ | ||
| $'https://<camaleon-host>/admin/media/actions?actions=true' | ||
| ``` | ||
| **Impact** | ||
| This issue may lead to a defective CMS or system. | ||
| **Remediation** | ||
| Normalize all file paths constructed from untrusted user input | ||
| before using them and check that the resulting path is inside the | ||
| targeted directory. Additionally, do not allow character sequences | ||
| such as .. in untrusted input that is used to build paths. | ||
| **See also:** | ||
| [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) | ||
| [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) | ||
| cvss_v3: 7.2 | ||
| patched_versions: | ||
| - ">= 2.8.1" | ||
| related: | ||
| url: | ||
| - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 | ||
| - https://github.com/owen2345/camaleon-cms/commit/f5d032549fa0a204d06e738caf2663607967dee2 | ||
| - https://github.com/advisories/GHSA-7x4w-cj9r-h4v9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| --- | ||
| gem: camaleon_cms | ||
| ghsa: r9cr-qmfw-pmrc | ||
| url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc | ||
| title: Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184) | ||
| date: 2024-09-18 | ||
| description: | | ||
| A stored cross-site scripting has been found in the image upload | ||
| functionality that can be used by normal registered users: | ||
| It is possible to upload a SVG image containing JavaScript and | ||
| it's also possible to upload a HTML document when the format | ||
| parameter is manually changed to [documents][1] or a string of an | ||
| [unsupported format][2]. If an authenticated user or administrator | ||
| visits that uploaded image or document malicious JavaScript can be | ||
| executed on their behalf | ||
| (e.g. changing or deleting content inside of the CMS.) | ||
| [1]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106 | ||
| [2]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111 | ||
| ## Impact | ||
| This issue may lead to account takeover due to reflected | ||
| Cross-site scripting (XSS). | ||
| ## Remediation | ||
| Only allow the upload of safe files such as PNG, TXT and others | ||
| or serve all "unsafe" files such as SVG and other files with a | ||
| content-disposition: attachment header, which should prevent | ||
| browsers from displaying them. | ||
| Additionally, a [Content security policy (CSP)][3] | ||
| can be created that disallows inlined script. (Other parts of the | ||
| application might need modification to continue functioning.) | ||
| [3]: https://web.dev/articles/csp | ||
| To prevent the theft of the auth_token it could be marked with | ||
| HttpOnly. This would however not prevent that actions could be | ||
| performed as the authenticated user/administrator. Furthermore, | ||
| it could make sense to use the authentication provided by | ||
| Ruby on Rails, so that stolen tokens cannot be used anymore | ||
| after some time. | ||
| cvss_v3: 5.4 | ||
| patched_versions: | ||
| - ">= 2.8.1" | ||
| related: | ||
| url: | ||
| - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc | ||
| - https://github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b | ||
| - https://github.com/advisories/GHSA-r9cr-qmfw-pmrc |