Security Issue - File upoads


we had a report of a security issue in eramba, without being logged (with a valid account) if you hit any of the following URLs you would see content:

Upload page: https://youserver/js/tinymce/plugins/jbimages/dialog-v4.htm
Uploaded image: https://yourserver/media/tinymce/images.jpg

Why this works?
The ugly bug is the “dialog-v4.html” , as that allows a non-authenticated user to upload images (png or jpeg only) to your filesystem in a special directory: eramba_v2/app/webroot/media/tinymce.

Note: this directory is not the same directory where normal uploads are stored, so there is no chance someone uploads stuff that over-writes your things.

This plugin is used on the content editor of policies which allowed you to upload images, we have released a patch (r68) that removes this features (so this urls wont work any more).

Since when the vulnerability in there?

At least two years - this is more or less when we updated this plugin. Trough that time eramba was scanned by us and many of our customers … it never came up.

How do i know if i was affected?

Simply look at the folder “eramba_v2/app/webroot/media/tinymce” - you should not see other than the default images (which you can delete if you want).

What is the impact?

From a security perspective in our view the impact could be that someone could max-out your FS storage by uploading images, complicated, but even in the case this is achieved remember database engines have lock mechanism when running out of space and therefore no data would be compromised.

Important: this bug can not DISCLOSE or challenge the INTEGRITY of your data.

How was it found?

The bug was found by mistake (literally) by one guy in Russia and reported to us by a customer and him last Monday. We have now met and started to work together, this issue was not found by enumerating (crawling) - we do that almost every release and never showed up.

Please update eramba!