diff --git a/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml b/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml new file mode 100644 index 0000000000..287f7a5a0e --- /dev/null +++ b/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml @@ -0,0 +1,81 @@ +--- +gem: camaleon_cms +ghsa: 7x4w-cj9r-h4v9 +url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 +title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185) +date: 2024-09-18 +description: | + The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) + defined inside of the MediaController class do not check whether a + given path is inside a certain path (e.g. inside the media folder). + If an attacker performed an account takeover of an administrator + account (See: GHSL-2024-184) they could delete arbitrary files or + folders on the server hosting Camaleon CMS. The + [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) + action might make arbitrary file writes (similar impact to GHSL-2024-182) + for any authenticated user possible, but it doesn't seem to work currently. + + Arbitrary file deletion can be exploited with following code path: + The parameter folder flows from the actions method: + ```ruby + def actions + authorize! :manage, :media if params[:media_action] != 'crop_url' + params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present? + case params[:media_action] + [..] + when 'del_file' + cama_uploader.delete_file(params[:folder].gsub('//', '/')) + render plain: '' + ``` + into the method delete_file of the CamaleonCmsLocalUploader + class (when files are uploaded locally): + ```ruby + def delete_file(key) + file = File.join(@root_folder, key) + FileUtils.rm(file) if File.exist? file + @instance.hooks_run('after_delete', key) + get_media_collection.find_by_key(key).take.destroy + end + ``` + Where it is joined in an unchecked manner with the root folder and + then deleted. + + **Proof of concept** + The following request would delete the file README.md in the top + folder of the Ruby on Rails application. (The values for auth_token, + X-CSRF-Token and _cms_session would also need to be replaced with + authenticated values in the curl command below) + ``` + curl --path-as-is -i -s -k -X $'POST' \ + -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \ + -b $'auth_token=[..]; _cms_session=[..]' \ + --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=.. + 2F.. + 2F.. + 2FREADME.md&media_action=del_file' \ + $'https:///admin/media/actions?actions=true' + ``` + + **Impact** + + This issue may lead to a defective CMS or system. + + **Remediation** + + Normalize all file paths constructed from untrusted user input + before using them and check that the resulting path is inside the + targeted directory. Additionally, do not allow character sequences + such as .. in untrusted input that is used to build paths. + + **See also:** + + [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) + [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) +cvss_v3: 7.2 +patched_versions: + - ">= 2.8.1" +related: + url: + - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 + - https://github.com/owen2345/camaleon-cms/commit/f5d032549fa0a204d06e738caf2663607967dee2 + - https://github.com/advisories/GHSA-7x4w-cj9r-h4v9 diff --git a/gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml b/gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml new file mode 100644 index 0000000000..e8126cb515 --- /dev/null +++ b/gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml @@ -0,0 +1,52 @@ +--- +gem: camaleon_cms +ghsa: r9cr-qmfw-pmrc +url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc +title: Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184) +date: 2024-09-18 +description: | + A stored cross-site scripting has been found in the image upload + functionality that can be used by normal registered users: + It is possible to upload a SVG image containing JavaScript and + it's also possible to upload a HTML document when the format + parameter is manually changed to [documents][1] or a string of an + [unsupported format][2]. If an authenticated user or administrator + visits that uploaded image or document malicious JavaScript can be + executed on their behalf + (e.g. changing or deleting content inside of the CMS.) + + [1]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106 + [2]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111 + + ## Impact + + This issue may lead to account takeover due to reflected + Cross-site scripting (XSS). + + ## Remediation + + Only allow the upload of safe files such as PNG, TXT and others + or serve all "unsafe" files such as SVG and other files with a + content-disposition: attachment header, which should prevent + browsers from displaying them. + + Additionally, a [Content security policy (CSP)][3] + can be created that disallows inlined script. (Other parts of the + application might need modification to continue functioning.) + + [3]: https://web.dev/articles/csp + + To prevent the theft of the auth_token it could be marked with + HttpOnly. This would however not prevent that actions could be + performed as the authenticated user/administrator. Furthermore, + it could make sense to use the authentication provided by + Ruby on Rails, so that stolen tokens cannot be used anymore + after some time. +cvss_v3: 5.4 +patched_versions: + - ">= 2.8.1" +related: + url: + - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc + - https://github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b + - https://github.com/advisories/GHSA-r9cr-qmfw-pmrc