|
| 1 | +--- |
| 2 | +gem: camaleon_cms |
| 3 | +cve: 2024-46986 |
| 4 | +ghsa: wmjg-vqhv-q5p5 |
| 5 | +url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5 |
| 6 | +title: Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182) |
| 7 | +date: 2024-09-18 |
| 8 | +description: | |
| 9 | + An arbitrary file write vulnerability accessible via the upload method |
| 10 | + of the `MediaController` allows authenticated users to write arbitrary |
| 11 | + files to any location on the web server Camaleon CMS is running on |
| 12 | + (depending on the permissions of the underlying filesystem). |
| 13 | + E.g. This can lead to a delayed remote code execution in case an |
| 14 | + attacker is able to write a Ruby file into the `config/initializers/` |
| 15 | + subfolder of the Ruby on Rails application. |
| 16 | +
|
| 17 | + Once a user upload is started via the [upload] method, the |
| 18 | + `file_upload` and the folder parameter. |
| 19 | +
|
| 20 | + [upload]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87 |
| 21 | +
|
| 22 | + ```ruby |
| 23 | + def upload(settings = {}) |
| 24 | + params[:dimension] = nil if params[:skip_auto_crop].present? |
| 25 | + f = { error: 'File not found.' } |
| 26 | + if params[:file_upload].present? |
| 27 | + f = upload_file(params[:file_upload], |
| 28 | + { folder: params[:folder], dimension: params['dimension'], formats: params[:formats], versions: params[:versions], |
| 29 | + thumb_size: params[:thumb_size] }.merge(settings)) |
| 30 | + end |
| 31 | + [..] |
| 32 | + end |
| 33 | + ``` |
| 34 | +
|
| 35 | + are passed to the [upload_file] method. Inside that method the |
| 36 | + given settings are [merged] with some presets. The file format |
| 37 | + is [checked against] the formats settings we can override with |
| 38 | + the formats parameters. |
| 39 | +
|
| 40 | + [upload_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L23-L24 |
| 41 | + [merged]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L41-L42 |
| 42 | + [checked against]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L61-L62 |
| 43 | +
|
| 44 | + ```ruby |
| 45 | + # formats validations |
| 46 | + return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format( |
| 47 | + uploaded_io.path, settings[:formats] |
| 48 | + ) |
| 49 | + ``` |
| 50 | +
|
| 51 | + Our given folder is then [passed unchecked] to the `Cama_uploader`: |
| 52 | +
|
| 53 | + [passed unchecked]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L73-L74 |
| 54 | +
|
| 55 | + ```ruby |
| 56 | + key = File.join(settings[:folder], settings[:filename]).to_s.cama_fix_slash |
| 57 | + res = cama_uploader.add_file(settings[:uploaded_io], key, { same_name: settings[:same_name] }) |
| 58 | + ``` |
| 59 | +
|
| 60 | + In the [add_file] method of `CamaleonCmsLocalUploader` this key argument containing the |
| 61 | + unchecked path is then used to write the file to the file system: |
| 62 | +
|
| 63 | + [add_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L77 |
| 64 | +
|
| 65 | + ```ruby |
| 66 | + def add_file(uploaded_io_or_file_path, key, args = {}) |
| 67 | + [..] |
| 68 | + upload_io = uploaded_io_or_file_path.is_a?(String) ? File.open(uploaded_io_or_file_path) : uploaded_io_or_file_path |
| 69 | + File.open(File.join(@root_folder, key), 'wb') { |file| file.write(upload_io.read) } |
| 70 | + [..] |
| 71 | + end |
| 72 | + ``` |
| 73 | +
|
| 74 | + ## Impact |
| 75 | +
|
| 76 | + This issue may lead up to Remote Code Execution (RCE) via arbitrary |
| 77 | + file write. |
| 78 | +
|
| 79 | + ## Remediation |
| 80 | +
|
| 81 | + Normalize file paths constructed from untrusted user input before using |
| 82 | + them and check that the resulting path is inside the targeted directory. |
| 83 | + Additionally, do not allow character sequences such as `..` in untrusted |
| 84 | + input that is used to build paths. |
| 85 | +
|
| 86 | + ## See Also |
| 87 | +
|
| 88 | + [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) |
| 89 | + [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) |
| 90 | +cvss_v3: 9.9 |
| 91 | +unaffected_versions: |
| 92 | + - "< 2.8.0" |
| 93 | +patched_versions: |
| 94 | + - ">= 2.8.1" |
| 95 | +related: |
| 96 | + url: |
| 97 | + - https://nvd.nist.gov/vuln/detail/CVE-2024-46986 |
| 98 | + - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5 |
| 99 | + - https://github.com/owen2345/camaleon-cms/commit/b3b12b1e4a9e3fccaf5bb4330820fa7f8744e6bd |
| 100 | + - https://codeql.github.com/codeql-query-help/ruby/rb-path-injection |
| 101 | + - https://owasp.org/www-community/attacks/Path_Traversal |
| 102 | + - https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released |
| 103 | + - https://github.com/advisories/GHSA-wmjg-vqhv-q5p5 |
0 commit comments