Bishop Fox Security Advisory: Critical Security Vulnerability Discovered in Silverpeas 5.15 to 6.0.2

The following document describes an identified vulnerability in the Silverpeas versions 5.15 to 6.0.2. 

Product Description

From the vendor’s website:

“Silverpeas is an open source WEB platform that improves the collaboration between the actors of a company or organization.” 

Silverpeas is widely used by many notable French organizations including those in the media, retail, and government space. 

Vulnerabilities List

One vulnerability was identified within the Silverpeas 5.15 to 6.0.2 application. 

Affected Versions

5.15 to 6.0.2

Solution

If you are using the affected versions of the Silverpeas software, please ensure you have the following mitigations installed: 

 

Path Traversal

Silverpeas 5.15 to 6.0.2 is affected by an authenticated path traversal vulnerability that can be triggered during file uploads. This vulnerability enables regular users to write arbitrary files on the underlying system with the privileges of the user running the application. An attacker may leverage the vulnerability to write an executable JSP file in an exposed web directory and execute commands on the underlying system.

Vulnerability Details

CVE ID: CVE-2018-19586

Access Vector: Remote 

Security Risk: Critical 

Vulnerability: CWE-23

CVSS Base Score: 9.9

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The path traversal vulnerability is located in an upload mechanism that is reachable across several other features (e.g., forum, ideas) with regular user privileges. The application takes the upload path from the HTTP header without proper sanitization:

The file is then created in /tmp:

By default, files are uploaded to $SILVERPEAS_HOME/data/temp/[UUID]/, which is outside the application’s main directory. Through the use of the Silverpeas official installer, the core package (containing main Java classes and JSP files) is deployed in a virtual file system (VFS) whose path is randomized and not writable. However, the installer ships another web application resource (WAR) that is reachable under /weblib/ and whose path is not randomized.

The request below can be used to deploy a malicious JSP file

Command execution can then be achieved by using the deployed file, highlighted below:

The issue is due to a lack of user-input sanitization in the FileUploadData Java class. For more information, see:

Disclosure Timeline: 

  • 11/10/2018: Initial discovery for version 6.0.2
  • 11/26/2018: Initial notification of product vendor
  • 12/01/2018: Versions 5.15 to 6.0.2 discovered to be affected
  • 12/14/2018: Patches released for 5.15 and 6.0 

Researcher: