module
DotCMS RCE via Arbitrary File Upload.
| Disclosed | Created |
|---|---|
| 2022-05-03 | 2022-06-02 |
Disclosed
2022-05-03
Created
2022-06-02
Description
When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the
file down in a temp directory. In the case of this vulnerability, dotCMS does not sanitize the filename
passed in via the multipart request header and thus does not sanitize the temp file's name. This allows a
specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content) that get
written outside of the dotCMS temp directory. In the case of this exploit, an attacker can upload a special
.jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.
file down in a temp directory. In the case of this vulnerability, dotCMS does not sanitize the filename
passed in via the multipart request header and thus does not sanitize the temp file's name. This allows a
specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content) that get
written outside of the dotCMS temp directory. In the case of this exploit, an attacker can upload a special
.jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.
Authors
Shubham Shah
Hussein Daher
jheysel-r7
Hussein Daher
jheysel-r7
Platform
Linux,Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.