Camaleon CMS Path Traversal Vulnerability in AWS S3 Uploader Allowing Arbitrary File Read

A path traversal vulnerability has been identified in Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e. This vulnerability exists in the AWS S3 uploader implementation, specifically within the 'download_private_file' functionality, when the application uses the 'CamaleonCmsAwsUploader' backend. Unlike the local uploader, the AWS version fails to properly validate file paths, allowing authenticated users, including those with low privileges, to exploit directory traversal sequences and access arbitrary files from the web server's filesystem. Sensitive files, such as '/etc/passwd', can be read as a result of this vulnerability. This issue also represents a bypass of the incomplete fix for CVE-2024-46987.

Impact

Exploitation of this vulnerability allows authenticated users to read arbitrary files from the server's filesystem, potentially leading to the disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a file using the AWS S3 uploader. The user can then manipulate the file path to include directory traversal sequences, such as '../', to access restricted files on the server, like '/etc/passwd'. This can be done by specifying the crafted file path in the file parameter, taking advantage of the uploader's lack of proper path validation.

Remediation

Users can update to Camaleon CMS version 2.9.0 or later, where this vulnerability has been fixed.