Totaljs CMS version 12.0 suffers from a path traversal vulnerability.
dbe07b4aa6634e2d9dc4eaab18f61c18*Totaljs CMS authenticated path traversal (could lead to RCE)*
[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup
**
[+] Title: Totaljs CMS authenticated path traversal (could lead to RCE)
[+] Affected software: Totaljs CMS 12.0
[+] Description: An authenticated user with “Pages” privilege can
include via path traversal attack (../) .html files that are outside the
permitted directory. Also if the page contains template directive, then
the directive will be server side processed, so if a user can control
the content of a .html file, then can inject payload with malicious
template directive to gain RemoteCodeExecution.
The exploit will work only with .html extension.
[+] Step to reproduce:
1) go to http://localhost:8000/admin/pages/
2) click on create button
3) enable burp proxy forwarding
4) select a template from the menu this will send a POST request to the API
5) from burp modify the json body request by adding the path traversal
on the template parameter like this
{"body":"","template":"../../../../../../../../../../../../var/www/html/test_rce"}
do NOT add the .html extension it will be added to the back-end API
6) send the request
[+] Project link: https://github.com/totaljs/cms
[+] Original report and details:
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf
[+] Timeline:
- 13/02/2019 -> reported the issue to the vendor
.... many ping here
- 18/06/2019 -> pinged the vendor last time
- 29/08/2019 -> reported to seclist