Thanks GHSL team member @p- for disovering and reporting this!
Arbitrary file delete in MediaController#delete_file (GHSL-2024-186) vulnerability reported:
"The actions method, defined inside of the MediaController class, doesn't check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS".
The report, though, isn't accurate, because the @current_site.upload_directory folder is prefixing the folder or file name to delete in the delete_folder and delete_file methods. What's missing, is a traversal check.
This PR fixes the vulnerability by introducing a check for path traversal check into the delete_folder and delete_file methods of the CamaleonCmsLocalUploader.
Thanks GHSL team member @p- for disovering and reporting this!
Arbitrary file delete in
MediaController#delete_file(GHSL-2024-186) vulnerability reported:"The
actionsmethod, defined inside of the MediaController class, doesn't check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS".The report, though, isn't accurate, because the
@current_site.upload_directoryfolder is prefixing the folder or file name to delete in thedelete_folderanddelete_filemethods. What's missing, is a traversal check.This PR fixes the vulnerability by introducing a check for path traversal check into the
delete_folderanddelete_filemethods of theCamaleonCmsLocalUploader.