[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Totaljs CMS authenticated path traversal (could lead to RCE)
From: paw <riccardo.krauter () gmail ! com>
Date: 2019-08-30 17:45:41
Message-ID: 41dfb958-aed8-7564-7671-9176aad70e13 () gmail ! com
[Download RAW message or body]
*Totaljs CMS authenticated path traversal (could lead to RCE)*
[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup
**
[+] Title: Totaljs CMS authenticated path traversal (could lead to RCE)
[+] Affected software: Totaljs CMS 12.0
[+] Description: An authenticated user with "Pages" privilege can
include via path traversal attack (../) .html files that are outside the
permitted directory. Also if the page contains template directive, then
the directive will be server side processed, so if a user can control
the content of a .html file, then can inject payload with malicious
template directive to gain RemoteCodeExecution.
The exploit will work only with .html extension.
[+] Step to reproduce:
1) go to http://localhost:8000/admin/pages/
2) click on create button
3) enable burp proxy forwarding
4) select a template from the menu this will send a POST request to the API
5) from burp modify the json body request by adding the path traversal
on the template parameter like this
{"body":"","template":"../../../../../../../../../../../../var/www/html/test_rce"}
do NOT add the .html extension it will be added to the back-end API
6) send the request
[+] Project link: https://github.com/totaljs/cms
[+] Original report and details:
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf
[+] Timeline:
- 13/02/2019 -> reported the issue to the vendor
.... many ping here
- 18/06/2019 -> pinged the vendor last time
- 29/08/2019 -> reported to seclist
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic