Updated advisory posts against rubysec/ruby-advisory-db@a93d52d

jasnow · RubySec CI · commit a425ab216b51 · 2024-10-09T17:56:06.000Z
diff --git a/advisories/_posts/2024-09-18-CVE-2024-46986.md b/advisories/_posts/2024-09-18-CVE-2024-46986.md
@@ -0,0 +1,111 @@
+---
+layout: advisory
+title: 'CVE-2024-46986 (camaleon_cms): Camaleon CMS affected by arbitrary file write
+  to RCE (GHSL-2024-182)'
+comments: false
+categories:
+- camaleon_cms
+advisory:
+  gem: camaleon_cms
+  cve: 2024-46986
+  ghsa: wmjg-vqhv-q5p5
+  url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5
+  title: Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)
+  date: 2024-09-18
+  description: |
+    An arbitrary file write vulnerability accessible via the upload method
+    of the `MediaController` allows authenticated users to write arbitrary
+    files to any location on the web server Camaleon CMS is running on
+    (depending on the permissions of the underlying filesystem).
+    E.g. This can lead to a delayed remote code execution in case an
+    attacker is able to write a Ruby file into the `config/initializers/`
+    subfolder of the Ruby on Rails application.
+
+    Once a user upload is started via the [upload] method, the
+    `file_upload` and the folder parameter.
+
+    [upload]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87
+
+    ```ruby
+    def upload(settings = {})
+      params[:dimension] = nil if params[:skip_auto_crop].present?
+      f = { error: 'File not found.' }
+      if params[:file_upload].present?
+        f = upload_file(params[:file_upload],
+                        { folder: params[:folder], dimension: params['dimension'], formats: params[:formats], versions: params[:versions],
+                          thumb_size: params[:thumb_size] }.merge(settings))
+      end
+      [..]
+    end
+    ```
+
+    are passed to the [upload_file] method. Inside that method the
+    given settings are [merged] with some presets. The file format
+    is [checked against] the formats settings we can override with
+    the formats parameters.
+
+    [upload_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L23-L24
+    [merged]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L41-L42
+    [checked against]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L61-L62
+
+    ```ruby
+    # formats validations
+      return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format(
+        uploaded_io.path, settings[:formats]
+     )
+    ```
+
+    Our given folder is then [passed unchecked] to the `Cama_uploader`:
+
+    [passed unchecked]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L73-L74
+
+    ```ruby
+    key = File.join(settings[:folder], settings[:filename]).to_s.cama_fix_slash
+    res = cama_uploader.add_file(settings[:uploaded_io], key, { same_name: settings[:same_name] })
+    ```
+
+    In the [add_file] method of `CamaleonCmsLocalUploader` this key argument containing the
+    unchecked path is then used to write the file to the file system:
+
+    [add_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L77
+
+    ```ruby
+    def add_file(uploaded_io_or_file_path, key, args = {})
+      [..]
+      upload_io = uploaded_io_or_file_path.is_a?(String) ? File.open(uploaded_io_or_file_path) : uploaded_io_or_file_path
+      File.open(File.join(@root_folder, key), 'wb') { |file| file.write(upload_io.read) }
+      [..]
+    end
+    ```
+
+    ## Impact
+
+    This issue may lead up to Remote Code Execution (RCE) via arbitrary
+    file write.
+
+    ## Remediation
+
+    Normalize file paths constructed from untrusted user input before using
+    them and check that the resulting path is inside the targeted directory.
+    Additionally, do not allow character sequences such as `..` in untrusted
+    input that is used to build paths.
+
+    ## See Also
+
+    [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+    [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+  cvss_v3: 9.9
+  unaffected_versions:
+  - "< 2.8.0"
+  patched_versions:
+  - ">= 2.8.1"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-46986
+    - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5
+    - https://github.com/owen2345/camaleon-cms/commit/b3b12b1e4a9e3fccaf5bb4330820fa7f8744e6bd
+    - https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
+    - https://owasp.org/www-community/attacks/Path_Traversal
+    - https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released
+    - https://github.com/advisories/GHSA-wmjg-vqhv-q5p5
+---
