usd-2021-0006 | ChronoEngine ChronoForms v7

Advisory ID: usd20210006
CVE Number: CVE-2021-28376
Affected Product: ChronoEngine ChronoForms v7
Affected Version: v7.0.7
Vulnerability Type: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Security Risk: Medium
Vendor URL: https://www.chronoengine.com/chronoforms
Vendor Status: Unknown

Description

The ChronoForms function to download form input logs is vulnerable through path traversal attacks. This allows an attacker with administration permissions to download arbitrary files from web servers filesystem.

The parameter `fname` passed to the log script in the Joomla administration interface is not filtered for path traversal. This allows an attacker with administration permissions to download arbitrary files from the web servers filesystem, like for instance Joomla's configuration file containing secret credentials.

Vulnerable Code:
File: com_chronoforms7/admin/chronoforms/controllers/logs.php

The corresponding function send($path, $view = 'D', $filename = '', $cache = false) in cegcore2/libs/download.php.

Proof of Concept (PoC)

The following steps need to be performed to exploit this issue.

Preparation:

• Install Joomla 3.X
• Install latest ChronoEngine ChronoForms extensions (at time of discovery: v7.0.7)

Exploiting:

Open the vulnerable File in Webbrowser: https://<JoomlaInstallation>/administrator/index.php?option=com_chronoforms7&cont=logs&act=file&fname=<local_file> 

Exemplary values for <local_file> are given in the following:

1. References the /etc/passwd file:

2. References the Joomla configuration file (Path might vary):