GHSA SYNC: 2 brand new advisories (#817)

---------

Co-authored-by: Postmodern <[email protected]>

Author: jasnow

gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml

@@ -0,0 +1,81 @@
+---
+gem: camaleon_cms
+ghsa: 7x4w-cj9r-h4v9
+url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)
+date: 2024-09-18
+description: |
+  The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52)
+  defined inside of the MediaController class do not check whether a
+  given path is inside a certain path (e.g. inside the media folder).
+  If an attacker performed an account takeover of an administrator
+  account (See: GHSL-2024-184) they could delete arbitrary files or
+  folders on the server hosting Camaleon CMS. The
+  [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65)
+  action might make arbitrary file writes (similar impact to GHSL-2024-182)
+  for any authenticated user possible, but it doesn't seem to work currently.
+
+  Arbitrary file deletion can be exploited with following code path:
+  The parameter folder flows from the actions method:
+  ```ruby
+    def actions
+      authorize! :manage, :media if params[:media_action] != 'crop_url'
+      params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
+      case params[:media_action]
+      [..]
+      when 'del_file'
+        cama_uploader.delete_file(params[:folder].gsub('//', '/'))
+        render plain: ''
+  ```
+  into the method delete_file of the CamaleonCmsLocalUploader
+  class (when files are uploaded locally):
+  ```ruby
+  def delete_file(key)
+    file = File.join(@root_folder, key)
+    FileUtils.rm(file) if File.exist? file
+    @instance.hooks_run('after_delete', key)
+    get_media_collection.find_by_key(key).take.destroy
+  end
+  ```
+  Where it is joined in an unchecked manner with the root folder and
+  then deleted.
+
+  **Proof of concept**
+  The following request would delete the file README.md in the top
+  folder of the Ruby on Rails application. (The values for auth_token,
+  X-CSRF-Token and _cms_session would also need to be replaced with
+  authenticated values in the curl command below)
+  ```
+  curl --path-as-is -i -s -k -X $'POST' \
+      -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
+      -b $'auth_token=[..]; _cms_session=[..]' \
+      --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
+  2F..
+  2F..
+  2FREADME.md&media_action=del_file' \
+      $'https://<camaleon-host>/admin/media/actions?actions=true'
+  ```
+
+  **Impact**
+
+  This issue may lead to a defective CMS or system.
+
+  **Remediation**
+
+  Normalize all file paths constructed from untrusted user input
+  before using them and check that the resulting path is inside the
+  targeted directory. Additionally, do not allow character sequences
+  such as .. in untrusted input that is used to build paths.
+
+  **See also:**
+
+  [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+  [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+cvss_v3: 7.2
+patched_versions:
+  - ">= 2.8.1"
+related:
+  url:
+    - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+    - https://github.com/owen2345/camaleon-cms/commit/f5d032549fa0a204d06e738caf2663607967dee2
+    - https://github.com/advisories/GHSA-7x4w-cj9r-h4v9

gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml

@@ -0,0 +1,52 @@
+---
+gem: camaleon_cms
+ghsa: r9cr-qmfw-pmrc
+url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc
+title: Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)
+date: 2024-09-18
+description: |
+  A stored cross-site scripting has been found in the image upload
+  functionality that can be used by normal registered users:
+  It is possible to upload a SVG image containing JavaScript and
+  it's also possible to upload a HTML document when the format
+  parameter is manually changed to [documents][1] or a string of an
+  [unsupported format][2]. If an authenticated user or administrator
+  visits that uploaded image or document malicious JavaScript can be
+  executed on their behalf
+  (e.g. changing or deleting content inside of the CMS.)
+
+  [1]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106
+  [2]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111
+
+  ## Impact
+
+  This issue may lead to account takeover due to reflected
+  Cross-site scripting (XSS).
+
+  ## Remediation
+
+  Only allow the upload of safe files such as PNG, TXT and others
+  or serve all "unsafe" files such as SVG and other files with a
+  content-disposition: attachment header, which should prevent
+  browsers from displaying them.
+
+  Additionally, a [Content security policy (CSP)][3]
+  can be created that disallows inlined script. (Other parts of the
+  application might need modification to continue functioning.)
+
+  [3]: https://web.dev/articles/csp
+
+  To prevent the theft of the auth_token it could be marked with
+  HttpOnly. This would however not prevent that actions could be
+  performed as the authenticated user/administrator. Furthermore,
+  it could make sense to use the authentication provided by
+  Ruby on Rails, so that stolen tokens cannot be used anymore
+  after some time.
+cvss_v3: 5.4
+patched_versions:
+  - ">= 2.8.1"
+related:
+  url:
+    - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc
+    - https://github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b
+    - https://github.com/advisories/GHSA-r9cr-qmfw-pmrc