diff --git a/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml b/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml deleted file mode 100644 index f160a5417a..0000000000 --- a/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -gem: camaleon_cms -ghsa: 3hp8-6j24-m5gm -url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 -title: Camaleon CMS vulnerable to remote code execution - through code injection (GHSL-2024-185) -date: 2024-09-23 -description: | - The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) - defined inside of the MediaController class do not check whether a - given path is inside a certain path (e.g. inside the media folder). - If an attacker performed an account takeover of an administrator - account (See: GHSL-2024-184) they could delete arbitrary files or - folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) - action might make arbitrary file writes (similar impact to - GHSL-2024-182) for any authenticated user possible, but it doesn't - seem to work currently. - - Arbitrary file deletion can be exploited with following code path: - The parameter folder flows from the actions method: - - ```ruby - def actions - authorize! :manage, :media if params[:media_action] != 'crop_url' - params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present? - case params[:media_action] - [..] - when 'del_file' - cama_uploader.delete_file(params[:folder].gsub('//', '/')) - render plain: '' - ``` - - into the method delete_file of the CamaleonCmsLocalUploader - class (when files are uploaded locally): - - ```ruby - def delete_file(key) - file = File.join(@root_folder, key) - FileUtils.rm(file) if File.exist? file - @instance.hooks_run('after_delete', key) - get_media_collection.find_by_key(key).take.destroy - end - ``` - - Where it is joined in an unchecked manner with the root folder - and then deleted. - - **Proof of concept** - - The following request would delete the file README.md in the top - folder of the Ruby on Rails application. (The values for - auth_token, X-CSRF-Token and _cms_session would also need to be - replaced with authenticated values in the curl command below) - - ``` - curl --path-as-is -i -s -k -X $'POST' \ - -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \ - -b $'auth_token=[..]; _cms_session=[..]' \ - --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=.. - 2F.. - 2F.. - 2FREADME.md&media_action=del_file' \ - $'https:///admin/media/actions?actions=true' - ``` - - **Impact** - - This issue may lead to a defective CMS or system. - - **Remediation** - - Normalize all file paths constructed from untrusted user input before - using them and check that the resulting path is inside the targeted - directory. Additionally, do not allow character sequences such as .. - in untrusted input that is used to build paths. - - **See also:** - - [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) - [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) -patched_versions: - - ">= 2.8.1" -related: - url: - - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 - - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml - - https://github.com/advisories/GHSA-3hp8-6j24-m5gm