############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Monstra CMS # Vendor: Monstra (Open-source) # CSNC ID: CSNC-2018-27 # CVE ID: N/A # Subject: Path Traversal # Risk: Medium # Effect: Remotely exploitable # Author: Fabio Poloni # Date: 04.09.2018 # ############################################################# Introduction: ------------- Monstra is a modern and lightweight Content Management System [1]. Compass Security was able to circumvent a security measure and got access to the server and its stored data. Affected: --------- Vulnerable: * Version 3.0.4 (Latest Release as of 04.09.2018) Other versions are not tested, but the whole 3.0 release and maybe older major releases could be affected. Technical Description --------------------- The file manager in the administration panel is vulnerable to a path traversal attack due to incomplete / insecure input validation. In the `path` parameter every "/../" will be replaced by an empty string - but non-recursive, therefore it's possible to do a path traversal when using "./.././" which will be substituted to "../" and is accepted. Although it's necessary to prepend the string "uploads/" or the whole parameter will be deleted. Example to get to the root directory when Monstra is installed under "/var/www/html/monstra-3.0.4/": http://localhost/monstra-3.0.4/admin/index.php?id=filesmanager&path=uploads/./../././../././../././../././../././.././ Workaround / Fix: ----------------- Monstra 3.0.4 suffers from multiple vulnerabilities and was not updated recently, therefore we suggest to use an alternative product. Timeline: --------- 2018-09-04: Compass Security Advisory 2018-08-29: Public Disclosure by a third-party [2] 2018-08-20: Initial vendor notification 2018-08-13: Discovery by Fabio Poloni References: ----------- [1] https://github.com/monstra-cms/monstra [2] https://github.com/monstra-cms/monstra/issues/457