what you don't know can hurt you

MJML 4.6.2 Path Traversal

MJML 4.6.2 Path Traversal
Posted Jun 16, 2020
Authored by Julien Ahrens | Site rcesecurity.com

MJML versions 4.6.2 and below suffer from a path traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2020-12827
MD5 | a0a3f891f47c7b51f226844efd20e946

MJML 4.6.2 Path Traversal

Change Mirror Download
RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product: MJML
Vendor URL: https://github.com/mjmlio/mjml/
Type: Path Traversal [CWE-22]
Date found: 2020-04-28
Date published: 2020-06-14
CVSSv3 Score: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L)
CVE: CVE-2020-12827


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
MJML <= 4.6.2

As a solution MJML disabled mj-include by default in MJML v4.6.3 by adding the
"ignoreIncludes" directive, however, the component could still be explicitly
enabled, making the application vulnerable again.


4. INTRODUCTION
===============
MJML is a markup language created by Mailjet and designed to reduce the pain of
coding a responsive email. Its semantic syntax makes it easy and straightforward
while its rich standard components library fastens your development time and
lightens your email codebase. MJML’s open-source engine takes care of
translating the MJML you wrote into responsive HTML.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
MJML offers a component called "mj-include" that allows other external MJML
files to be included into the email template by using its "path" attribute.
(see https://mjml.io/documentation/#mj-include).

However MJML does not properly validate the value supplied to the "path"
argument, allowing an attacker to traverse directories or even directly point to
other system files outside of the web server's root directory.

However since MJML expects the referenced file to be in the format of a MJML
file, the attack scope is limited to:

- Leaking the local server path by pointing to a non-existing MJML file, which
throws an error containing the full path, i.e.:
<mjml><mj-include path='test'/></mjml>

- Enumerating local server files by using a true/false approach. Existing server
files return an error, while non-existing do not:
<mjml><mj-include path='/etc/passwd'/></mjml>

- Partially reading local binary server files. Pointing path to binary files
throws an error, but the error message does contain a portion of the referenced
file. On this way it is possible to leak parts of i.e. compressed local log
files:
<mjml><mj-include path='/var/log/apt/history.log.1.gz'/></mjml>

- Causing denial of service conditions on the application embedding MJML, by
reading i.e. /dev/urandom:
<mjml><mj-include path='/dev/urandom'/></mjml>


6. RISK
=======
The vulnerability can be used by an unauthenticated attacker or authenticated
attacker depending on how MJML is embedded to leak sensitive information about
the server such as local server paths and contents of compressed/binary files
or cause denial of service attacks against the application.


7. SOLUTION
===========
Update MJML to version 4.6.3 and keep "ignoreIncludes" set to false.


8. REPORT TIMELINE
==================
2020-04-28: Discovery of the vulnerability
2020-04-30: Reported the vulnerability to maintainers of MJML
2020-05-05: MJML pushes a fix disabling includes by default.
2020-05-11: CVE requested from MITRE
2020-05-13: MITRE assigns CVE-2020-12827
2020-06-14: Public disclosure.


9. REFERENCES
=============
https://github.com/mjmlio/mjml/commit/30e29ed2cdaec8684d60a6d12ea07b611c765a12


Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    11 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close