October CMS Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in October CMS versions 1.0.421 prior to 1.0.469. This vulnerability allows unauthenticated users to read local files on the server by sending a specially crafted request. The issue arises from inadequate validation of file paths in the Halcyon Builder component, which manages file queries and template rendering.

Impact

Exploitation of this vulnerability allows for unauthorized reading of local files on the server where October CMS is hosted.

Reproduction

The vulnerability can be reproduced by sending a request that includes a file name parameter with a value that specifies a file path on the server. This can be done using the October CMS Twig environment by loading a template with an absolute path that points to a file outside the allowed directory.

Remediation

Users can upgrade to October CMS version 1.0.469 or 1.1.0, where this vulnerability has been patched. Alternatively, if an upgrade is not possible, the patch available in the October CMS library repository commit '80aab47' can be applied manually.