CouchCMS Information Disclosure Vulnerability via Directory Traversal

A directory traversal vulnerability allowing information disclosure has been identified in CouchCMS version 2.4. This vulnerability enables an admin user to read arbitrary files by traversing directories back multiple levels. If exploited, it could lead to the disclosure of source code or other confidential information.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive files, including potentially confidential information or source code.

Reproduction

To reproduce this vulnerability, log into CouchCMS 2.4 as an admin user. Capture the request for the 'Download Dump' feature using Burp Suite. After forwarding the request to the Repeater, navigate to the CouchCMS root directory and create a text file with some data. Then, use the directory traversal payload by adding the file's path outside the CouchCMS directory to the request in Burp Repeater. Send the request to retrieve the file's contents, demonstrating access to files outside the application's root directory.

Remediation

Users are advised to upgrade to a version of CouchCMS later than 2.4.