usd-2024-0012 | Directory Traversal in Contao 4.12.7

Advisory ID: usd-2024-0012
Product: Contao
Affected Version: < 4.13.49
Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Security Risk: Medium CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Vendor URL: https://contao.org/
Vendor Acknowledged Vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2024-45604
CVE Link: CVE-2024-45604

Affected Component(s)

Contao File Selector Widget

Desciption

Authenticated users in the backend can list files outside the document root in the file manager. However, it is not possible to read the contents of these files.

Proof of Concept

POST /contao?do=files HTTP/2
Host: localhost
X-Requested-With: XMLHttpRequest
X-Request: JSON
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 76

Fix

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

Users of Contao can upgrade to a patched version.

References

https://cwe.mitre.org/data/definitions/22.html
https://github.com/advisories/GHSA-4p75-5p53-65m9

Timeline

• 2024-08-15: Vulnerability identified by Jakob Steeg.
• 2024-09-02: Sent first contact request.
• 2024-09-05: Contao reports that a fix is being worked on.
• 2024-09-07: Contao published a fix in version 4.13.49.
• 2024-10-30: This advisory is published.

Credits

This security vulnerability was identified by Jakob Steeg of usd AG.