-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2024-46986.yml
103 lines (85 loc) · 4.49 KB
/
CVE-2024-46986.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
---
gem: camaleon_cms
cve: 2024-46986
ghsa: wmjg-vqhv-q5p5
url: /~https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5
title: Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)
date: 2024-09-18
description: |
An arbitrary file write vulnerability accessible via the upload method
of the `MediaController` allows authenticated users to write arbitrary
files to any location on the web server Camaleon CMS is running on
(depending on the permissions of the underlying filesystem).
E.g. This can lead to a delayed remote code execution in case an
attacker is able to write a Ruby file into the `config/initializers/`
subfolder of the Ruby on Rails application.
Once a user upload is started via the [upload] method, the
`file_upload` and the folder parameter.
[upload]: /~https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87
```ruby
def upload(settings = {})
params[:dimension] = nil if params[:skip_auto_crop].present?
f = { error: 'File not found.' }
if params[:file_upload].present?
f = upload_file(params[:file_upload],
{ folder: params[:folder], dimension: params['dimension'], formats: params[:formats], versions: params[:versions],
thumb_size: params[:thumb_size] }.merge(settings))
end
[..]
end
```
are passed to the [upload_file] method. Inside that method the
given settings are [merged] with some presets. The file format
is [checked against] the formats settings we can override with
the formats parameters.
[upload_file]: /~https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L23-L24
[merged]: /~https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L41-L42
[checked against]: /~https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L61-L62
```ruby
# formats validations
return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format(
uploaded_io.path, settings[:formats]
)
```
Our given folder is then [passed unchecked] to the `Cama_uploader`:
[passed unchecked]: /~https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L73-L74
```ruby
key = File.join(settings[:folder], settings[:filename]).to_s.cama_fix_slash
res = cama_uploader.add_file(settings[:uploaded_io], key, { same_name: settings[:same_name] })
```
In the [add_file] method of `CamaleonCmsLocalUploader` this key argument containing the
unchecked path is then used to write the file to the file system:
[add_file]: /~https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L77
```ruby
def add_file(uploaded_io_or_file_path, key, args = {})
[..]
upload_io = uploaded_io_or_file_path.is_a?(String) ? File.open(uploaded_io_or_file_path) : uploaded_io_or_file_path
File.open(File.join(@root_folder, key), 'wb') { |file| file.write(upload_io.read) }
[..]
end
```
## Impact
This issue may lead up to Remote Code Execution (RCE) via arbitrary
file write.
## Remediation
Normalize file paths constructed from untrusted user input before using
them and check that the resulting path is inside the targeted directory.
Additionally, do not allow character sequences such as `..` in untrusted
input that is used to build paths.
## See Also
[CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
[OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
cvss_v3: 9.9
unaffected_versions:
- "< 2.8.0"
patched_versions:
- ">= 2.8.1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-46986
- /~https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5
- /~https://github.com/owen2345/camaleon-cms/commit/b3b12b1e4a9e3fccaf5bb4330820fa7f8744e6bd
- https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
- https://owasp.org/www-community/attacks/Path_Traversal
- https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released
- /~https://github.com/advisories/GHSA-wmjg-vqhv-q5p5