Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2023-08-11 12:24:00

funtoosh
Member
From: Münster, Germany
Registered: 2006-10-09
Posts: 153
Website

Directory Traversal vulnerability in Textpattern CMS v4.8.8

Hi there,
A client’s provider just notified me on this vulnerability: https://www.cvedetails.com/cve/CVE-2023-36220/

They classify this as HIGH … any thoughts and fixes?

Cheers,
-martin

Offline

#2 2023-08-11 13:14:52

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,269
Website GitHub

Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8

Hmmm, will investigate. As far as I’m aware. this hasn’t come through our official security channel.

Thank you for the notification. Wouldn’t have spotted it otherwise.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#3 2023-08-11 13:17:55

funtoosh
Member
From: Münster, Germany
Registered: 2006-10-09
Posts: 153
Website

Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8

Bloke, no problem, I was quite surprised as well by the email.

Thanx, as always.

Offline

#4 2023-08-11 13:21:31

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,269
Website GitHub

Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8

From that page there is also another linked issue. Not sure if this the same one (the date is a couple of months earlier). But that one looks like it’s covered by our security considerations and is probably mitigated by employing .htaccess, as we recommend. But we’ll check that one out too just in case.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#5 2023-10-11 21:51:06

kuopassa
Plugin Author
From: Porvoo, Finland
Registered: 2008-12-03
Posts: 228
Website

Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8

My thoughts: penetration testing is trending, because some projects will give financial rewards for finding vulnerabilities. Also Github profiles are used as online CV’s, so finding “critical” vulnerabilities means having something seemingly valuable in the CV. For example with Textpattern CMS someone had found a vulnerability where… …a logged-in Textpattern user with admin privileges could vandalize the site. 🤦🏻 For that reason I’d like to remind Bloke and others that some of these vulnerabilities are false.

Last edited by kuopassa (2023-10-11 21:51:14)

Offline

#6 2023-12-01 14:25:35

bg1
New Member
Registered: 2023-12-01
Posts: 8
Mastodon

Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8

Looked at the CVE, which is referring to a directory traversal. The referenced code though is referring to the weakness of the plugin upload function (e.g to upload some evil shell execution), only available to logged in admins (and thus covered by your security hints, as linked above).

Never the less, the function plugin_upload() in include/txp_plugin.php is indeed not stripping off any path components of the uploaded file so it should be possible, as a logged in admin, to place the the plugin somewhere else than in the plugin dir (if not the web server prevents this with e.g. an open_basedir restriction in its config). I have not tested this, but line 619: $filename = $_FILES[“theplugin”][“name”]; takes stuff for what it is and then on line 621 appends that to resulting target path: $target_path = rtrim(get_pref(‘tempdir’, PLUGINPATH), DS).DS.$filename;

Maybe a patch, something like this, would be useful:

diff txp_plugin.php-4.8.8-original txp_plugin.php
618,619c618,622
< if ($_FILES[“theplugin”][“name”]) {
< $filename = $_FILES[“theplugin”][“name”];
—-
> if ($_FILES[“theplugin”][“name”]) {
> // 2023-12-01 bg1 fix for https://www.cvedetails.com/cve/CVE-2023-36220/
> // skip any path components of file
> // $filename = $_FILES[“theplugin”][“name”];
> $filename = pathinfo($_FILES[“theplugin”][“name”])[‘basename’];

Offline

#7 2023-12-01 16:23:55

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,269
Website GitHub

Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8

That’s not a bad idea actually, bg1. Confining plugins to the directory in which the .htaccess resides that governs access to the plugins is shrewd, and what is intended.

Thank you.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#8 2023-12-01 21:02:27

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,269
Website GitHub

Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8

Patched in bc001d9 for Textpattern 4.9+.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#9 2023-12-02 08:24:02

bg1
New Member
Registered: 2023-12-01
Posts: 8
Mastodon

Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8

That’s good, Bloke. Neat, small patch being easy on the eye.

Offline

#10 2023-12-02 16:24:38

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,137
GitHub

Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8

Now credited – thanks, bg1!

Offline

#11 2023-12-03 14:12:48

bg1
New Member
Registered: 2023-12-01
Posts: 8
Mastodon

Re: Directory Traversal vulnerability in Textpattern CMS v4.8.8

Thanks, gaekwad! :)

Offline

Board footer

Powered by FluxBB