[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n
Advisory ID<\/strong>: usd20210006 <\/span><\/p>\n The ChronoForms function to download form input logs is vulnerable through path traversal attacks. This allows an attacker with administration permissions to download arbitrary files from web servers filesystem.<\/p>\n The parameter `fname` passed to the log script in the Joomla administration interface is not filtered for path traversal. This allows an attacker with administration permissions to download arbitrary files from the web servers filesystem, like for instance Joomla's configuration file containing secret credentials.<\/p>\n <\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n The corresponding function send($path, $view = 'D', $filename = '', $cache = false)<\/strong> in cegcore2\/libs\/download.php<\/em>.<\/p>\n The following steps need to be performed to exploit this issue.<\/p>\n <\/p>\n Open the vulnerable File in Webbrowser: https:\/\/<JoomlaInstallation>\/administrator\/index.php?option=com_chronoforms7&cont=logs&act=file&fname=<local_file><\/a>\u00a0<\/span><\/p>\n <\/span><\/p>\n Exemplary values for <local_file> are given in the following:<\/span><\/p>\n 1. References the \/etc\/passwd<\/strong> file:<\/span><\/p>\n <\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/11\/usd20210006-1-redacted.png\" title_text=\"usd20210006-1-redacted\" _builder_version=\"4.13.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n 2. References the Joomla configuration file (Path might vary):<\/span><\/p>\n <\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/11\/usd20210006-2-redacted.png\" title_text=\"usd20210006-2-redacted\" _builder_version=\"4.13.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n Restrict path specification for log file.<\/p>\n 2021-02-05: This vulnerability is identified by Tim Kranz and Nicolas Schickert.<\/p>\n<\/li>\n 2021-02-15: Initial contact with vendor.<\/p>\n<\/li>\n 2021-02-15: Vulnerability details are transmitted to the vendor.<\/p>\n<\/li>\n 2021-03-07: Status update requested.<\/p>\n<\/li>\n 2021-04-15: Status update requested.<\/p>\n<\/li>\n 2021-07-22: Status update requested.<\/p>\n<\/li>\n This security vulnerability was found by Nicolas Schickert and Tim Kranz of usd AG.<\/p>\n<\/div>\n<\/div>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2021-0006 | ChronoEngine ChronoForms v7 Advisory ID: usd20210006CVE Number: CVE-2021-28376Affected Product: ChronoEngine ChronoForms v7Affected Version: v7.0.7Vulnerability Type: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Security Risk: MediumVendor URL: https:\/\/www.chronoengine.com\/chronoforms Vendor Status: Unknown Description The ChronoForms function to download form input logs is vulnerable through path traversal attacks. This allows an attacker […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-17525","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/17525","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=17525"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/17525\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=17525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
CVE Number<\/strong>: CVE-2021-28376
Affected Product<\/strong>: ChronoEngine ChronoForms v7
Affected Version<\/strong>: v7.0.7
Vulnerability Type<\/strong>: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Security Risk<\/strong>: Medium
Vendor URL<\/strong>: https:\/\/www.chronoengine.com\/chronoforms<\/a>
Vendor Status<\/strong>: Unknown<\/p>\nDescription<\/h3>\n
Vulnerable Code:
File<\/strong>: com_chronoforms7\/admin\/chronoforms\/controllers\/logs.php<\/em><\/h5>\n
$path = $this->get('cf_settings.upload.path').$this->data('fname');
\\G3\\L\\Download::send($path, 'D', basename($path));
}<\/div>\nProof of Concept (PoC)<\/h3>\n
Preparation:<\/h4>\n
\n
Exploiting:<\/h4>\n
Fix<\/h3>\n
<\/h3>\n
References<\/h3>\n
\n
<\/h3>\n
Timeline<\/h3>\n
\n
<\/h3>\n
Credits<\/h3>\n