Local File Read through Improper Filename Validation in froxlor/froxlor

Valid

Reported on

Dec 29th 2022

Description

This vulnerability occur because there is no filename validation on logo_image_login and logo_image_header on import and export function. Attacker can use path traversal payload to leak local file such as /etc/passwd or froxlor config file.

Proof of Concept

  1. Go to import function on "Settings"
  2. Modify filename on logo_image_login or logo_image_header with path traversal payload , e.g "../../../../../etc/passwd?v=1672300384"
  3. After successfully imported, go to "Settings" and go to Export page
  4. Click Download/Export Settings, then leaked file will be on panel.logo_image_login.image_data key on json file in base64 encoded format

Impact

Attacker can read local file that contains sensitive information such as /etc/passwd or config files.

References

We are processing your report and will contact the froxlor team within 24 hours. 3 months ago
Ryuk modified the report
3 months ago
We have contacted a member of the froxlor team and are waiting to hear back 3 months ago
Michael
3 months ago

Maintainer

again, still 0.10.x which does not apply to our security policy for huntr.dev / reporting issues

Ryuk
3 months ago

Researcher

I think when i clone the repo (main branch) , i found that there is SimExporter.php available in library directory

Ryuk
3 months ago

Researcher

I cloned froxlor with version '2.0.0-beta1' and checked out that admin_settings.php still use SImExporter::import and SImExporter::export . Can you recheck/confirm it?

Michael
3 months ago

Maintainer

Of course it uses the same file, but it does not necessarily mean that the issue still exists, there were more than 540 commits since the last 0.10.x version

Ryuk
3 months ago

Researcher

So if there is no commit regarding this security issue before i submit this vulnerability or there is no commit regarding the changes of import/export function, i can conclude that this one is valid?

Michael
3 months ago

Maintainer

Why dont you just clone the repo, install it, and test it?

Ryuk
3 months ago

Researcher

Yeah , i actually clone the repo (main branch , like i said before) and having an issue while installing it. So i use the latest release (0.10.x) and it successfully installed. After finding a security issue i checked it manually on main branch (2.x and latest commit) and found that the function is used on 2.x , then i report the issue.

Ryuk
3 months ago

Researcher

I just install the 2.x (2.0.0-beta1 , main branch) and i can confirm that it is vulnerable for local file read and RCE using the same payload like in 0.10.x , like i state on the affected version Also the proof that you've been patched it after that

Michael Kaufmann modified the Severity from High (7.6) to Medium (6.8) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Michael Kaufmann validated this vulnerability 3 months ago
Ryuk has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael
3 months ago

Maintainer

@Zen can you verify that the patch fixes the issue?

Ryuk
3 months ago

Researcher

Yeah sure, i'll check it

Ryuk
3 months ago

Researcher

Is it possible for the maintainer to modify the N/A status to valid? Because i got penalty on it regarding my another finding on froxlor (RCE)

Michael Kaufmann gave praise 3 months ago
I've just adjusted the severity together with another researcher to reflect it correctly, i didn't know you'll get a penalty for that. Have a thank you to resolve this :)
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Michael Kaufmann marked this as fixed in 2.0.0 with commit 983d92 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jan 16th 2023
Michael Kaufmann published this vulnerability 2 months ago
to join this conversation