{"id":17533,"date":"2021-11-30T13:21:49","date_gmt":"2021-11-30T12:21:49","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=17533"},"modified":"2022-01-12T16:38:06","modified_gmt":"2022-01-12T15:38:06","slug":"usd-2021-0007","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0007\/","title":{"rendered":"usd-2021-0007"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2021-0007 | ChronoEngine ChronoForums<\/h1>\n

Advisory ID<\/strong>: usd20210007
CVE Number<\/strong>: CVE-2021-28377
Affected Product<\/strong>: ChronoEngine ChronoForums
Affected Version<\/strong>: v2.0.11
Vulnerability Type<\/strong>: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Security Risk<\/strong>: High
Vendor URL<\/strong>: https:\/\/www.chronoengine.com\/chronoforums<\/a>\u00a0<\/a> \u00a0<\/a>
Vendor Status<\/strong>: Unknown<\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

The ChronoForums avatar function is vulnerable through unauthenticated path traversal attacks. This enables unauthenticated attackers to read arbitrary files, like for instance Joomla's configuration file containing secret credentials.<\/p>\n

The ChronoForums avatar function is vulnerable through path traversal attacks. An attacker can pass arbitrary local file paths as 'av' parameter. The content of the file is returned. Unauthenticated attackers could use this vulnerabilities to read arbitrary files, like for instance Joomla's configuration file containing secret credentials.<\/p>\n

 <\/p>\n

Vulnerable Code:
File<\/strong>: com_chronoforums2\/chronoforums\/controllers\/profiles.php<\/h5>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n

function avatar(){
if(!empty($this->data['u']) AND !empty($this->data['av'])){
$avatars_path = \\GApp::extension('chronoforums')->settings()->get('avatars_path', \\G2\\Globals::ext_path('chronoforums','front').'avatars'.DS);
$target = $avatars_path.$this->data['av'];
\\G2\\L\\Download::send($target, 'I', $this->data['av'], true);
}else{
\\G2\\L\\Env::e404();
}<\/p>\n

$this->view = false;
}<\/div>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

The corresponding function send($path, $view = 'D', $filename = '', $cache = false)<\/strong>\u00a0in cegcore2\/libs\/download.php<\/em>.<\/p>\n

Proof of Concept (PoC)<\/h3>\n

The following steps need to be performed to exploit this issue.<\/p>\n

 <\/p>\n

Preparation:<\/h4>\n