Latest YouTube Video

Saturday, April 9, 2016

[FD] [CVE-2016-3972]DotCMS Directory traversal vulnerability

Advisory: DotCMS Directory traversal vulnerability Author: Piaox From Pingan Product Safety Group Email: xiongyaofu351@pingan.com.cn Affected Version: dotCMS 3.5 Beta(the latest version) ========================== Vulnerability Description Recetly, I found a Directory traversal vulnerability in ‘DotCMS' program, DotCMS is widely used in many companies. Vulnerable file is: “com.dotmarketing.servlets.taillog.TailLogServlet.class” File file = *null*; String tailLogLofFolder = *Config*.*getStringProperty*( "TAIL_LOG_LOG_FOLDER", "./dotsecure/logs/"); *try* { *if* (!tailLogLofFolder.endsWith(File.separator)) { tailLogLofFolder = tailLogLofFolder + File.separator; } file = *new* File(*FileUtil*.*getAbsolutlePath*(tailLogLofFolder + fileName)); } *catch* (Exception e) { *Logger*.*error*(getClass(), "unable to open log file '" + tailLogLofFolder + fileName + "' please set the config variable TAIL_LOG_LOG_FOLDER correctly"); } *if* ((file == *null*) || (!file.exists())) { response.sendError(403); *AdminLogger*.*log*(*TailLogServlet*.*class*, "service", "Someone tried to use the TailLogServlet to display a file not in the logs directory" ); *return*; } String regex = *Config*.*getStringProperty*("TAIL_LOG_FILE_REGEX"); //WEB-INF/classes/dotmarketing-config.properties:TAIL_LOG_FILE_REGEX=.*\.log$|.*\.out$ *if* (!*UtilMethods*.*isSet*(regex)) { regex = "!.*"; } *if* (!Pattern.compile(regex).matcher(fileName).matches()) { //Only detects whether the file extension .log end,lead ,caused Directory traversal vulnerability. *return*; } response.setContentType("text/html;charset=UTF-8"); ServletOutputStream out = response.getOutputStream(); out.print(""); out.flush(); *Tailer* tailer = *null*; *long* startPosition = file.length() - 5000L < 0L ? 0L : file.length() - 5000L; *MyTailerListener* listener = *new* MyTailerListener(*null*); listener.*handle*("Tailing " + fileName); listener.*handle*(

Source: Gmail -> IFTTT-> Blogger

No comments: