New but not so critical Path Traversal vulnerability

[Frycos]

Hi guys,

awesome software, clean code, I really like your project. I just wanted to let you know that during a short code review from my side, I found another path traversal vulnerability. Pretty sure it's not as critical as CVE-2019-12277 because there are preconditions which have to be met.

1. You've to be authenticated as admin.
2. You could only overwrite system-wide files for a pattern [SOMEWHERE_ON_FILE_SYSTEM]\assets\data.json. E.g. this could be another CMS or something installed in parallel of course. At least, that could be a more likely case with respect to the naming precondition being met.

Using your API POST request to /api/themes/data with e.g. this JSON body

{ "theme": "..\\someDIR", "data": "{'a':1}"

would overwrite the data.json file in a directory someDIR\assets of your Blogifier webroot. Of course it's not restricted to your webroot but since the naming convention (assets\data.json) is fixed, the vulnerability class is low-medium.

You could simply wrap this code with your already fixed version of sanitizing path strings (compare CVE-2019-12277).

[rxtur]

2.5.0.4 adds check against theme name so no need to sanitize path as it all combines well known parts. Also added json validation, so if try to write anything but json data it will throw. Later also prevents saving invalid json when making edit mistakes.