Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). This issue may lead to Information Disclosure. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Camaleon CMS is vulnerable to a critical path traversal vulnerability, allowing authenticated users to download arbitrary files from the server. This information disclosure vulnerability could expose sensitive data, including configuration files, credentials, and potentially the entire file system, leading to a complete system compromise. Immediate patching to version 2.8.2 or later is crucial to mitigate this risk.
Step 1: Authentication: The attacker must first authenticate to the Camaleon CMS instance. This requires valid credentials, which could be obtained through various means (e.g., brute-forcing, phishing, or prior vulnerabilities).
Step 2: Payload Construction: The attacker crafts a malicious URL that exploits the download_private_file method. This URL includes a crafted parameter that contains path traversal sequences (e.g., ../../etc/passwd).
Step 3: Request Submission: The attacker submits the crafted URL to the vulnerable Camaleon CMS instance.
Step 4: Vulnerability Trigger: The download_private_file method receives the malicious file path. Due to the lack of proper input validation, the path traversal sequences are not neutralized.
Step 5: File Retrieval: The server attempts to retrieve the file specified by the manipulated path. Because of the path traversal, the server accesses the attacker-specified file (e.g., /etc/passwd).
Step 6: Information Disclosure: The contents of the requested file (e.g., /etc/passwd) are returned to the attacker, leading to information disclosure.
The vulnerability stems from insufficient input validation within the download_private_file method of the MediaController. Specifically, the application fails to properly sanitize user-supplied input used to construct the file path. This allows an attacker to manipulate the file path by including path traversal sequences (e.g., ../) to navigate outside the intended directory and access arbitrary files on the server. The root cause is a lack of proper input validation and sanitization of the file path parameter, leading to a path traversal vulnerability.