Headline
CVE-2023-33690: patch for path traversal CVE-2023-33690 (legacy CMS version) by ernestang98 · Pull Request #183 · lane711/sonicjs
SonicJS up to v0.7.0 allows attackers to execute an authenticated path traversal when an attacker injects special characters into the filename of a backup CMS.
There is a path traversal vulnerability here for the legacy version of this product. wrote a simple patch to detect and prevent path traversals.
POC can be found here:
https://www.youtube.com/watch?v=6ZuwA9CkQLg&ab_channel=ErnestAng
btw, I checked all releases for the legacy CMS and it seems that the that entire chunk of code removed, which prevents the path traversal vulnerability but does not allow users to download backups anymore. Don’t know if it was intentional or was an error on the release team?
This ensures that lane711/sonicjs all versions from 0.5.4 (where the backup service was first introduced) - 0.7.0 prior to the migration to headless version is not vulnerable to a path traversal, mainly caused by a user with administrative privileges, being able to control the file name of the backup to be downloaded, and that the user controlled file name input is not sanitised, which gives them the ability to read any file on the system as long as they know the path to it (local file inclusion vulnerability).