Full Disclosure mailing list archives
Re: Totaljs CMS authenticated path traversal (could lead to RCE)
From: paw <riccardo.krauter () gmail com>
Date: Fri, 6 Sep 2019 14:51:35 +0200
Update: [+] CVE-id: CVE-2019-15952 Il 30/08/19 19:45, paw ha scritto:
*Totaljs CMS authenticated path traversal (could lead to RCE)* [+] Author/Discoverer: Riccardo Krauter @CertimeterGroup [+] Title: Totaljs CMS authenticated path traversal (could lead to RCE) [+] Affected software: Totaljs CMS 12.0[+] Description: An authenticated user with “Pages” privilege can include via path traversal attack (../) .html files that are outside the permitted directory. Also if the page contains template directive, then the directive will be server side processed, so if a user can control the content of a .html file, then can inject payload with malicious template directive to gain RemoteCodeExecution.The exploit will work only with .html extension. [+] Step to reproduce: 1) go to http://localhost:8000/admin/pages/ 2) click on create button 3) enable burp proxy forwarding4) select a template from the menu this will send a POST request to the API 5) from burp modify the json body request by adding the path traversal on the template parameter like this {"body":"","template":"../../../../../../../../../../../../var/www/html/test_rce"}do NOT add the .html extension it will be added to the back-end API 6) send the request [+] Project link: https://github.com/totaljs/cms[+] Original report and details: https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf[+] Timeline: - 13/02/2019 -> reported the issue to the vendor .... many ping here - 18/06/2019 -> pinged the vendor last time - 29/08/2019 -> reported to seclist
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Totaljs CMS authenticated path traversal (could lead to RCE) paw (Sep 03)
- Re: Totaljs CMS authenticated path traversal (could lead to RCE) paw (Sep 06)