Totaljs CMS 12.0 Path Traversal

Totaljs CMS version 12.0 suffers from a path traversal vulnerability.

MD5 | dbe07b4aa6634e2d9dc4eaab18f61c18

*Totaljs CMS authenticated path traversal (could lead to RCE)*

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS authenticated path traversal (could lead to RCE)

[+] Affected software: Totaljs CMS 12.0

[+] Description: An authenticated user with “Pages” privilege can
include via path traversal attack (../) .html files that are outside the
permitted directory. Also if the page contains template directive, then
the directive will be server side processed, so if a user can control
the content of a .html file, then can inject payload with malicious
template directive to gain RemoteCodeExecution.
The exploit will work only with .html extension.

[+] Step to reproduce:

1) go to http://localhost:8000/admin/pages/
2) click on create button
3) enable burp proxy forwarding
4) select a template from the menu this will send a POST request to the API
5) from burp modify the json body request by adding the path traversal
on the template parameter like this
do NOT add the .html extension it will be added to the back-end API
6) send the request

[+] Project link:

[+] Original report and details:

[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 29/08/2019 -> reported to seclist

Related Posts