Issues » Bundle path traversal

Issue: SI-41
Date: Mar 9, 2017, 2:30:00 AM
Severity: Medium
Requires Admin Access: Yes
Fix Version: 3.7.2
Credit: SafeDog Penetration and Defense Lab - Yong Cai
Description:

With a user that is authenticated to the backend, intentionally customized bundles can be uploaded that will write files to arbitrary locations on the filesystem.

Mitigation:

Should always be running dotCMS as a user that only has access to the parts of the filesystem necessary to run dotCMS.  These limited permissions will keep this vulnerability from being used to write files outside of the dotCMS / tomcat directory structure.

Access to vulnerability requires:

  • User must be authenticated
  • User must have access to publishing queue portlet

The soon to be released 3.7.2 version of dotCMSA fix will be forthcoming that will ensure that files from bundles can only be written to the intended location within dotCMS.

https://github.com/dotCMS/core/issues/10974

References

CERT issue CVE-2017-3188

Highly Rated and Recommended

We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews