Issues » Bundle path traversal

Issue: SI-41
Date: Mar 9, 2017 7:30:00 AM
Severity: Moderate
Requires Admin Access: Yes
Fix Version: 3.7.2
Credit: SafeDog Penetration and Defense Lab - Yong Cai
Description:

With a user that is authenticated to the backend, intentionally customized bundles can be uploaded that will write files to arbitrary locations on the filesystem.

Workaround:

Should always be running dotCMS as a user that only has access to the parts of the filesystem necessary to run dotCMS.  These limited permissions will keep this vulnerability from being used to write files outside of the dotCMS / tomcat directory structure.

Access to vulnerability requires:

  • User must be authenticated
  • User must have access to publishing queue portlet

The soon to be released 3.7.2 version of dotCMSA fix will be forthcoming that will ensure that files from bundles can only be written to the intended location within dotCMS.

https://github.com/dotCMS/core/issues/10974

Issues

CERT issue CVE-2017-3188

Back to the top