Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Totaljs CMS authenticated path traversal (could lead to RCE)

Related Vulnerabilities: CVE-2019-15952  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="10"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#11">By Date</a>
<a href="12"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="2"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#11">By Thread</a>
<a href="3"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Re: Totaljs CMS authenticated path traversal (could lead to	RCE)</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: paw &lt;riccardo.krauter () gmail com&gt;


<em>Date</em>: Fri, 6 Sep 2019 14:51:35 +0200


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Update:

[+] CVE-id: CVE-2019-15952

Il 30/08/19 19:45, paw ha scritto:
</pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;">
*Totaljs CMS authenticated path traversal (could lead to RCE)*

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS authenticated path traversal (could lead to RCE)

[+] Affected software: Totaljs CMS 12.0

</pre><tt>[+] Description: An authenticated user with “Pages” privilege can 
</tt><tt>include via path traversal attack (../) .html files that are outside 
</tt><tt>the permitted directory. Also if the page contains template directive, 
</tt><tt>then the directive will be server side processed, so if a user can 
</tt><tt>control the content of a .html file, then can inject payload with 
</tt><tt>malicious template directive to gain RemoteCodeExecution.
</tt><pre style="margin: 0em;">The exploit will work only with .html extension.

[+] Step to reproduce:

1) go to <a rel="nofollow" href="http://localhost:8000/admin/pages/">http://localhost:8000/admin/pages/</a>
2) click on create button
3) enable burp proxy forwarding
</pre><tt>4) select a template from the menu this will send a POST request to 
</tt><tt>the API
</tt><tt>5) from burp modify the json body request by adding the path traversal 
</tt><tt>on the template parameter like this 
</tt><tt>{"body":"","template":"../../../../../../../../../../../../var/www/html/test_rce"}
</tt><pre style="margin: 0em;">do NOT add the .html extension it will be added to the back-end API
6) send the request

[+] Project link: <a rel="nofollow" href="https://github.com/totaljs/cms">https://github.com/totaljs/cms</a>

</pre><tt>[+] Original report and details: 
</tt><tt><a rel="nofollow" href="https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf">https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf</a>
</tt><pre style="margin: 0em;">
[+] Timeline:

- 13/02/2019 -&gt; reported the issue to the vendor

.... many ping here

- 18/06/2019 -&gt; pinged the vendor last time

- 29/08/2019 -&gt; reported to seclist

</pre></blockquote><pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="10"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#11">By Date</a>
<a href="12"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="2"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#11">By Thread</a>
<a href="3"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><a name="2" href="2">Totaljs CMS authenticated path traversal (could lead to RCE)</a> <em>paw (Sep 03)</em>
<ul>
<li><strong>Re: Totaljs CMS authenticated path traversal (could lead to	RCE)</strong> <em>paw (Sep 06)</em>
</li>
</ul>
</li>
</ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started