lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 6 Sep 2019 14:51:35 +0200
From: paw <riccardo.krauter@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Totaljs CMS authenticated path traversal (could lead to
	RCE)

Update:

[+] CVE-id: CVE-2019-15952

Il 30/08/19 19:45, paw ha scritto:
>
> *Totaljs CMS authenticated path traversal (could lead to RCE)*
>
> [+] Author/Discoverer: Riccardo Krauter @CertimeterGroup
>
> [+] Title: Totaljs CMS authenticated path traversal (could lead to RCE)
>
> [+] Affected software: Totaljs CMS 12.0
>
> [+] Description: An authenticated user with “Pages” privilege can 
> include via path traversal attack (../) .html files that are outside 
> the permitted directory. Also if the page contains template directive, 
> then the directive will be server side processed, so if a user can 
> control the content of a .html file, then can inject payload with 
> malicious template directive to gain RemoteCodeExecution.
> The exploit will work only with .html extension.
>
> [+] Step to reproduce:
>
> 1) go to http://localhost:8000/admin/pages/
> 2) click on create button
> 3) enable burp proxy forwarding
> 4) select a template from the menu this will send a POST request to 
> the API
> 5) from burp modify the json body request by adding the path traversal 
> on the template parameter like this 
> {"body":"","template":"../../../../../../../../../../../../var/www/html/test_rce"}
> do NOT add the .html extension it will be added to the back-end API
> 6) send the request
>
> [+] Project link: https://github.com/totaljs/cms
>
> [+] Original report and details: 
> https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf
>
> [+] Timeline:
>
> - 13/02/2019 -> reported the issue to the vendor
>
> .... many ping here
>
> - 18/06/2019 -> pinged the vendor last time
>
> - 29/08/2019 -> reported to seclist
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists