Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Directory Traversal vulnerability in Textpattern CMS v4.8.8
Hi there,
A client’s provider just notified me on this vulnerability: https://www.cvedetails.com/cve/CVE-2023-36220/
They classify this as HIGH … any thoughts and fixes?
Cheers,
-martin
Offline
Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8
Hmmm, will investigate. As far as I’m aware. this hasn’t come through our official security channel.
Thank you for the notification. Wouldn’t have spotted it otherwise.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8
Bloke, no problem, I was quite surprised as well by the email.
Thanx, as always.
Offline
Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8
From that page there is also another linked issue. Not sure if this the same one (the date is a couple of months earlier). But that one looks like it’s covered by our security considerations and is probably mitigated by employing .htaccess, as we recommend. But we’ll check that one out too just in case.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8
My thoughts: penetration testing is trending, because some projects will give financial rewards for finding vulnerabilities. Also Github profiles are used as online CV’s, so finding “critical” vulnerabilities means having something seemingly valuable in the CV. For example with Textpattern CMS someone had found a vulnerability where… …a logged-in Textpattern user with admin privileges could vandalize the site. 🤦🏻 For that reason I’d like to remind Bloke and others that some of these vulnerabilities are false.
Last edited by kuopassa (2023-10-11 21:51:14)
Offline
Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8
Looked at the CVE, which is referring to a directory traversal. The referenced code though is referring to the weakness of the plugin upload function (e.g to upload some evil shell execution), only available to logged in admins (and thus covered by your security hints, as linked above).
Never the less, the function plugin_upload() in include/txp_plugin.php is indeed not stripping off any path components of the uploaded file so it should be possible, as a logged in admin, to place the the plugin somewhere else than in the plugin dir (if not the web server prevents this with e.g. an open_basedir restriction in its config). I have not tested this, but line 619: $filename = $_FILES[“theplugin”][“name”]; takes stuff for what it is and then on line 621 appends that to resulting target path: $target_path = rtrim(get_pref(‘tempdir’, PLUGINPATH), DS).DS.$filename;
Maybe a patch, something like this, would be useful:
diff txp_plugin.php-4.8.8-original txp_plugin.php
618,619c618,622
< if ($_FILES[“theplugin”][“name”]) {
< $filename = $_FILES[“theplugin”][“name”];
—-
> if ($_FILES[“theplugin”][“name”]) {
> // 2023-12-01 bg1 fix for https://www.cvedetails.com/cve/CVE-2023-36220/
> // skip any path components of file
> // $filename = $_FILES[“theplugin”][“name”];
> $filename = pathinfo($_FILES[“theplugin”][“name”])[‘basename’];
Offline
Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8
That’s not a bad idea actually, bg1. Confining plugins to the directory in which the .htaccess resides that governs access to the plugins is shrewd, and what is intended.
Thank you.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8
Patched in bc001d9 for Textpattern 4.9+.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8
That’s good, Bloke. Neat, small patch being easy on the eye.
Offline
Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8
Now credited – thanks, bg1!
Offline
Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8
Thanks, gaekwad! :)
Offline