Share
*Totaljs CMS authenticated path traversal (could lead to RCE)*  
  
[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup  
**  
  
[+] Title: Totaljs CMS authenticated path traversal (could lead to RCE)  
  
[+] Affected software: Totaljs CMS 12.0  
  
[+] Description: An authenticated user with โ€œPagesโ€ privilege can   
include via path traversal attack (../) .html files that are outside the   
permitted directory. Also if the page contains template directive, then   
the directive will be server side processed, so if a user can control   
the content of a .html file, then can inject payload with malicious   
template directive to gain RemoteCodeExecution.  
The exploit will work only with .html extension.  
  
[+] Step to reproduce:  
  
1) go to http://localhost:8000/admin/pages/  
2) click on create button  
3) enable burp proxy forwarding  
4) select a template from the menu this will send a POST request to the API  
5) from burp modify the json body request by adding the path traversal   
on the template parameter like this   
{"body":"","template":"../../../../../../../../../../../../var/www/html/test_rce"}  
do NOT add the .html extension it will be added to the back-end API  
6) send the request  
  
[+] Project link: https://github.com/totaljs/cms  
  
[+] Original report and details:   
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf  
  
[+] Timeline:  
  
- 13/02/2019 -> reported the issue to the vendor  
  
.... many ping here  
  
- 18/06/2019 -> pinged the vendor last time  
  
- 29/08/2019 -> reported to seclist