-
-
Notifications
You must be signed in to change notification settings - Fork 218
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GHSA SYNC: 1 brand new advisory (#826)
--------- Co-authored-by: Postmodern <[email protected]>
- Loading branch information
1 parent
6f90c48
commit a93d52d
Showing
1 changed file
with
103 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| --- | ||
| gem: camaleon_cms | ||
| cve: 2024-46986 | ||
| ghsa: wmjg-vqhv-q5p5 | ||
| url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5 | ||
| title: Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182) | ||
| date: 2024-09-18 | ||
| description: | | ||
| An arbitrary file write vulnerability accessible via the upload method | ||
| of the `MediaController` allows authenticated users to write arbitrary | ||
| files to any location on the web server Camaleon CMS is running on | ||
| (depending on the permissions of the underlying filesystem). | ||
| E.g. This can lead to a delayed remote code execution in case an | ||
| attacker is able to write a Ruby file into the `config/initializers/` | ||
| subfolder of the Ruby on Rails application. | ||
| Once a user upload is started via the [upload] method, the | ||
| `file_upload` and the folder parameter. | ||
| [upload]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87 | ||
| ```ruby | ||
| def upload(settings = {}) | ||
| params[:dimension] = nil if params[:skip_auto_crop].present? | ||
| f = { error: 'File not found.' } | ||
| if params[:file_upload].present? | ||
| f = upload_file(params[:file_upload], | ||
| { folder: params[:folder], dimension: params['dimension'], formats: params[:formats], versions: params[:versions], | ||
| thumb_size: params[:thumb_size] }.merge(settings)) | ||
| end | ||
| [..] | ||
| end | ||
| ``` | ||
| are passed to the [upload_file] method. Inside that method the | ||
| given settings are [merged] with some presets. The file format | ||
| is [checked against] the formats settings we can override with | ||
| the formats parameters. | ||
| [upload_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L23-L24 | ||
| [merged]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L41-L42 | ||
| [checked against]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L61-L62 | ||
| ```ruby | ||
| # formats validations | ||
| return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format( | ||
| uploaded_io.path, settings[:formats] | ||
| ) | ||
| ``` | ||
| Our given folder is then [passed unchecked] to the `Cama_uploader`: | ||
| [passed unchecked]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L73-L74 | ||
| ```ruby | ||
| key = File.join(settings[:folder], settings[:filename]).to_s.cama_fix_slash | ||
| res = cama_uploader.add_file(settings[:uploaded_io], key, { same_name: settings[:same_name] }) | ||
| ``` | ||
| In the [add_file] method of `CamaleonCmsLocalUploader` this key argument containing the | ||
| unchecked path is then used to write the file to the file system: | ||
| [add_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L77 | ||
| ```ruby | ||
| def add_file(uploaded_io_or_file_path, key, args = {}) | ||
| [..] | ||
| upload_io = uploaded_io_or_file_path.is_a?(String) ? File.open(uploaded_io_or_file_path) : uploaded_io_or_file_path | ||
| File.open(File.join(@root_folder, key), 'wb') { |file| file.write(upload_io.read) } | ||
| [..] | ||
| end | ||
| ``` | ||
| ## Impact | ||
| This issue may lead up to Remote Code Execution (RCE) via arbitrary | ||
| file write. | ||
| ## Remediation | ||
| Normalize file paths constructed from untrusted user input before using | ||
| them and check that the resulting path is inside the targeted directory. | ||
| Additionally, do not allow character sequences such as `..` in untrusted | ||
| input that is used to build paths. | ||
| ## See Also | ||
| [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) | ||
| [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) | ||
| cvss_v3: 9.9 | ||
| unaffected_versions: | ||
| - "< 2.8.0" | ||
| patched_versions: | ||
| - ">= 2.8.1" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2024-46986 | ||
| - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5 | ||
| - https://github.com/owen2345/camaleon-cms/commit/b3b12b1e4a9e3fccaf5bb4330820fa7f8744e6bd | ||
| - https://codeql.github.com/codeql-query-help/ruby/rb-path-injection | ||
| - https://owasp.org/www-community/attacks/Path_Traversal | ||
| - https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released | ||
| - https://github.com/advisories/GHSA-wmjg-vqhv-q5p5 |