Skip to content

Adds modules for Pretalx File Read/Limited File Write (CVE-2023-28459, CVE-2023-28458) #20480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 23 commits into from
Aug 27, 2025
Merged

Adds modules for Pretalx File Read/Limited File Write (CVE-2023-28459, CVE-2023-28458) #20480

merged 23 commits into from
Aug 27, 2025
+1,146 −0

Conversation

msutovsky-r7
Copy link
Contributor

This PR adds modules for CVE-2023-28459 and CVE-2023-28458. Previously, modules have been split into separate PRs (#20413, #20404), it makes more sense to have them in one PR together as they both exploit similar functionality.

Vulnerable Application

Pretalx is a web-based conference planning tool, used to manage call for paper submissions, talk selection and so on. It used by many major IT conferences - such as OffensiveCon, Hexacon,... Versions 2.3.1 and prior are vulnerable to arbitrary file read, which exploits unsanitized path in schedule export. The module requires set of credentials of Pretalx user and Pretalx needs to have existing conference, where the attacker can submit malicious proposal.

Installation steps:

  1. git clone https://github.com/pretalx/pretalx-docker.git
  2. Change content of docker-compose.yml to following:
services:
  pretalx:
    image: pretalx/standalone:v2.3.1
      # image: pretalx/dev
    # build: .
    container_name: pretalx
    restart: unless-stopped
    depends_on:
      - redis
      - db
    environment:
      # Hint: Make sure you serve all requests for the `/static/` and `/media/` paths when debug is False. See [installation](https://docs.pretalx.org/administrator/installation/#step-7-ssl) for more information
      PRETALX_FILESYSTEM_MEDIA: /public/media
      PRETALX_FILESYSTEM_STATIC: /public/static
    ports:
      - "80:80"
    volumes:
      - ./conf/pretalx.cfg:/etc/pretalx/pretalx.cfg:ro
      - pretalx-data:/data
      - pretalx-public:/public
  db:
    image: docker.io/library/postgres:15-alpine
    container_name: pretalx-db
    restart: unless-stopped
    volumes:
      - pretalx-database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: veryunsecureplschange # same password as one that you will put in pretalx.cfg file later on
      POSTGRES_USER: pretalx
      POSTGRES_DB: pretalx
  redis:
    image: redis:latest
    container_name: pretalx-redis
    restart: unless-stopped
    volumes:
      - pretalx-redis:/data
volumes:
  pretalx-database:
  pretalx-data:
  pretalx-public:
  pretalx-redis:
  1. sudo docker-compose up
  2. Setup username and password
  3. Go to orga/event/
  4. Create new conference
  5. Go to orga/event/[conference name]/schedule/rooms/
  6. Create a room
  7. Go to orga/event/[conference name]/
  8. Make conference go live
  9. sudo docker exec -u 0 -it pretalx /bin/bash
  10. Make sure you have correct right on /data folder, so pretalx user can write export there

@github-actions GitHub Actions
Copy link

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

cdelafuente-r7
cdelafuente-r7 reviewed Aug 21, 2025
View reviewed changes
lib/msf/core/exploit/remote/http/pretalx.rb Outdated
'uri' => normalize_uri('orga', 'admin/')
})

fail_with(Msf::Exploit::Failure::NoAccess, 'Do not have privilege to admin, please provide correct credentials') unless res&.code == 200
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
fail_with(Msf::Exploit::Failure::NoAccess, 'Do not have privilege to admin, please provide correct credentials') unless res&.code == 200
fail_with(Msf::Exploit::Failure::Unknown, 'Something went wrong') unless res
fail_with(Msf::Exploit::Failure::NoAccess, 'Do not have privilege to admin, please provide correct credentials') unless res.code == 200

lib/msf/core/exploit/remote/http/pretalx.rb Outdated

html = res.get_html_document
version_element = html.at('span//a')&.text
return version_element
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might return a Rex::Version instead?

lib/msf/core/exploit/remote/http/pretalx.rb Outdated
Comment on lines 63 to 65
return false unless res&.code == 302

true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return false unless res&.code == 302
true
res&.code == 302

lib/msf/core/exploit/remote/http/pretalx.rb Outdated
def register_proposal(proposal_info = {})
proposal_name = proposal_info[:proposal_name] || Rex::Text.rand_text_alphanumeric(10)
abstract = proposal_info[:abstract] || Rex::Text.rand_text_alphanumeric(10)
proposal_info[:description] || ''
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
proposal_info[:description] || ''
description = proposal_info[:description] || ''

lib/msf/core/exploit/remote/http/pretalx.rb Outdated
res_min_num_forms = hidden_inputs.dig(0, 'resource-MIN_NUM_FORMS')
res_max_num_forms = hidden_inputs.dig(0, 'resource-MAX_NUM_FORMS')

data_post = get_resource_data({ csrf_token: csrf_token, proposal_name: proposal_name, submission_type: submission_type, content_locale: content_locale, abstract: abstract, description: description, notes: Rex::Text.rand_text_alphanumeric(16), image: '', total_forms: '1', initial_forms: res_initial_forms, min_num_forms: res_min_num_forms, max_num_forms: res_max_num_forms, resource_id: '', resource_description: Rex::Text.rand_text_alphanumeric(4), resource_name: resource_name, resource_content: resource_data })
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, can you reformat this into multiple lines?

modules/auxiliary/scanner/http/pretalx_file_read_cve_2023_28459.rb Outdated
update_info(
info,
'Name' => 'Pretalx Arbitrary File Read/Limited File Write',
'Description' => 'This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx will iteratively include any file referenced by any HTML tag and does not properly check the path of the file, which can lead to arbitrary file read. The module requires crendetials that allow schedule export, schedule release and approval of proposals. Additionaly, module requires conference name and URL for media files.',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'Description' => 'This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx will iteratively include any file referenced by any HTML tag and does not properly check the path of the file, which can lead to arbitrary file read. The module requires crendetials that allow schedule export, schedule release and approval of proposals. Additionaly, module requires conference name and URL for media files.',
'Description' => 'This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx will iteratively include any file referenced by any HTML tag and does not properly check the path of the file, which can lead to arbitrary file read. The module requires credentials that allow schedule export, schedule release and approval of proposals. Additionally, module requires conference name and URL for media files.',

modules/auxiliary/scanner/http/pretalx_file_read_cve_2023_28459.rb Outdated
)
register_options([
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
OptString.new('FILE_CONTENT', [false, 'Content to overwritten file']),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This option doesn't seem to used.

Suggested change
OptString.new('FILE_CONTENT', [false, 'Content to overwritten file']),

modules/exploits/linux/http/pretalx_rce_cve_2023_28458.rb Outdated
end

def exploit
cookie_jar.clear
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
cookie_jar.clear

@msutovsky-r7 msutovsky-r7 marked this pull request as draft August 22, 2025 11:36
@msutovsky-r7 msutovsky-r7 marked this pull request as ready for review August 22, 2025 13:29
@bwatters-r7 bwatters-r7 merged commit f1dffd3 into rapid7:master Aug 27, 2025
47 checks passed
@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Aug 27, 2025
edited by adfoster-r7
Loading

Release Notes

Adds two modules: one remote exploitation module targeting CVE-2023-28458, an authenticated limited file write, and a second auxiliary scanner module targeting CVE-2023-28459, an authenticated file read vulnerability.

@bwatters-r7 bwatters-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

@bwatters-r7 bwatters-r7 bwatters-r7 approved these changes

Assignees

@bwatters-r7 bwatters-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@msutovsky-r7 @bwatters-r7 @cdelafuente-r7