Publish Advisories

GHSA-7x4w-cj9r-h4v9 GHSA-cp65-5m9r-vc2c GHSA-r9cr-qmfw-pmrc
2024-09-18 15:48:15 +00:00 · 2024-09-18 15:48:15 +00:00 · 81d9fe4a1c
--- a/advisories/github-reviewed/2024/09/GHSA-7x4w-cj9r-h4v9/GHSA-7x4w-cj9r-h4v9.json
+++ b/advisories/github-reviewed/2024/09/GHSA-7x4w-cj9r-h4v9/GHSA-7x4w-cj9r-h4v9.json
@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7x4w-cj9r-h4v9",
+  "modified": "2024-09-18T15:47:07Z",
+  "published": "2024-09-18T15:47:07Z",
+  "aliases": [
+
+  ],
+  "summary": "Camaleon CMS allows remote code execution through code injection (GHSL-2024-185)",
+  "details": "The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently.\n\nArbitrary file deletion can be exploited with following code path: The parameter folder flows from the actions method:\n```ruby\n  def actions\n    authorize! :manage, :media if params[:media_action] != 'crop_url'\n    params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?\n    case params[:media_action]\n    [..]\n    when 'del_file'\n      cama_uploader.delete_file(params[:folder].gsub('//', '/'))\n      render plain: ''\n```\ninto the method delete_file of the CamaleonCmsLocalUploader class (when files are uploaded locally):\n```ruby\ndef delete_file(key)\n  file = File.join(@root_folder, key)\n  FileUtils.rm(file) if File.exist? file\n  @instance.hooks_run('after_delete', key)\n  get_media_collection.find_by_key(key).take.destroy\nend\n```\nWhere it is joined in an unchecked manner with the root folder and then deleted.\n\n**Proof of concept**\nThe following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below)\n```\ncurl --path-as-is -i -s -k -X $'POST' \\\n    -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \\\n    -b $'auth_token=[..]; _cms_session=[..]' \\\n    --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..%2F..%2F..%2FREADME.md&media_action=del_file' \\\n    $'https://<camaleon-host>/admin/media/actions?actions=true'\n```\n**Impact**\nThis issue may lead to a defective CMS or system.\n\n**Remediation**\nNormalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.\n\n**See also:**\n\n[CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)\n[OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "camaleon_cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.8.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/owen2345/camaleon-cms/commit/f5d032549fa0a204d06e738caf2663607967dee2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/owen2345/camaleon-cms"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-09-18T15:47:07Z",
+    "nvd_published_at": null
+  }
+}
--- a/advisories/github-reviewed/2024/09/GHSA-cp65-5m9r-vc2c/GHSA-cp65-5m9r-vc2c.json
+++ b/advisories/github-reviewed/2024/09/GHSA-cp65-5m9r-vc2c/GHSA-cp65-5m9r-vc2c.json
@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cp65-5m9r-vc2c",
+  "modified": "2024-09-18T15:46:53Z",
+  "published": "2024-09-18T15:46:53Z",
+  "aliases": [
+
+  ],
+  "summary": "Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)",
+  "details": "A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions).\n\nIn the [download_private_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28) method:\n```ruby\ndef download_private_file\n  cama_uploader.enable_private_mode!\n\n  file = cama_uploader.fetch_file(\"private/#{params[:file]}\")\n\n  send_file file, disposition: 'inline'\nend\n```\nThe file parameter is passed to the [fetch_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L27) method of the CamaleonCmsLocalUploader class (when files are uploaded locally):\n```ruby\ndef fetch_file(file_name)\n  raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)\n\n  file_name\nend\n```\nIf the file exists it's passed back to the download_private_file method where the file is sent to the user via [send_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L33-L34).\n\nProof of concept\nAn authenticated user can download the /etc/passwd file by visiting an URL such as:\n\nhttps://<camaleon-host>/admin/media/download_private_file?file=../../../../../../etc/passwd\nImpact\nThis issue may lead to Information Disclosure.\n\nRemediation\nNormalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.\n\nSee also:\n\n[CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)\n[OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "camaleon_cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.8.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/owen2345/camaleon-cms"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-09-18T15:46:53Z",
+    "nvd_published_at": null
+  }
+}
--- a/advisories/github-reviewed/2024/09/GHSA-r9cr-qmfw-pmrc/GHSA-r9cr-qmfw-pmrc.json
+++ b/advisories/github-reviewed/2024/09/GHSA-r9cr-qmfw-pmrc/GHSA-r9cr-qmfw-pmrc.json
@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r9cr-qmfw-pmrc",
+  "modified": "2024-09-18T15:47:01Z",
+  "published": "2024-09-18T15:47:01Z",
+  "aliases": [
+
+  ],
+  "summary": "Camaleon CMS allows stored XSS through user file upload (GHSL-2024-184)",
+  "details": "A stored cross-site scripting has been found in the image upload functionality that can be used by normal registered users: It is possible to upload a SVG image containing JavaScript and it's also possible to upload a HTML document when the format parameter is manually changed to [documents](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106) or a string of an [unsupported format](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111). If an authenticated user or administrator visits that uploaded image or document malicious JavaScript can be executed on their behalf (e.g. changing or deleting content inside of the CMS.)\n\nProof of concept\nLogin as a normal user (if user signup is enabled).\nGo to the user's profile.\nAnd upload the following profile picture via drag and drop.\nThe content of the SVG file could be as follows (e.g. name it test-xss.svg):\n\n<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n<svg\n   xmlns:dc=\"http://purl.org/dc/elements/1.1/\"\n   xmlns:cc=\"http://creativecommons.org/ns#\"\n   xmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"\n   xmlns:svg=\"http://www.w3.org/2000/svg\"\n   xmlns=\"http://www.w3.org/2000/svg\"\n   width=\"500\"\n   height=\"500\"\n   viewBox=\"0 0 198.4375 52.916666\"\n   version=\"1.1\">\n  <g\n     transform=\"translate(-9.8676114,4.8833333)\">\n    <path\n       d=\"m 107.79557,-10.430538 -7.33315,-0.02213 -3.647402,-6.361755 3.685742,-6.339624 7.33314,0.02213 3.64741,6.361756 z\"\n       style=\"fill:#131f6b;fill-opacity:1;stroke-width:0.05937638\"\n       transform=\"scale(1,-1)\" />\n  <!-- The below lines were added in a text editor to the image XML. This is the stored XSS attack. -->\n  <script type=\"text/javascript\">\n    alert(\"This is an example of a stored XSS attack in an SVG image, here's the cookie: \" + document.cookie);\n  </script>\n  </g>\n</svg>\nThe server might fail with a 500 internal server error, but the uploaded image should be available at a location like https://<camaleon-host>/media/1/test-xss-cookie.svg. If an authenticated user or administrator accesses that link their auth_token is reflected. Since the auth_token cookie contains a static [auth token](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/models/concerns/camaleon_cms/user_methods.rb#L18-L19) value that only changes when a user changes their password.\n\nImpact\nThis issue may lead to account takeover due to reflected Cross-site scripting (XSS).\n\nRemediation\nOnly allow the upload of safe files such as PNG, TXT and others or serve all \"unsafe\" files such as SVG and other files with a content-disposition: attachment header, which should prevent browsers from displaying them.\n\nAdditionally, a [Content security policy (CSP)](https://web.dev/articles/csp) can be created that disallows inlined script. (Other parts of the application might need modification to continue functioning.)\n\nTo prevent the theft of the auth_token it could be marked with HttpOnly. This would however not prevent that actions could be performed as the authenticated user/administrator. Furthermore, it could make sense to use the authentication provided by Ruby on Rails, so that stolen tokens cannot be used anymore after some time.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "camaleon_cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.8.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/owen2345/camaleon-cms"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-09-18T15:47:01Z",
+    "nvd_published_at": null
+  }
+}