lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Aug 2019 19:45:41 +0200
From: paw <>
Subject: [FD] Totaljs CMS authenticated path traversal (could lead to RCE)

*Totaljs CMS authenticated path traversal (could lead to RCE)*

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS authenticated path traversal (could lead to RCE)

[+] Affected software: Totaljs CMS 12.0

[+] Description: An authenticated user with “Pages” privilege can 
include via path traversal attack (../) .html files that are outside the 
permitted directory. Also if the page contains template directive, then 
the directive will be server side processed, so if a user can control 
the content of a .html file, then can inject payload with malicious 
template directive to gain RemoteCodeExecution.
The exploit will work only with .html extension.

[+] Step to reproduce:

1) go to http://localhost:8000/admin/pages/
2) click on create button
3) enable burp proxy forwarding
4) select a template from the menu this will send a POST request to the API
5) from burp modify the json body request by adding the path traversal 
on the template parameter like this 
do NOT add the .html extension it will be added to the back-end API
6) send the request

[+] Project link:

[+] Original report and details:

[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 29/08/2019 -> reported to seclist

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists