E

Egidio Romano

Hi,

I just discovered a Zip Slip Vulnerability affecting the Styles Import feature:

  1. Login into the admin panel
  2. Go to Appearance -> Styles
  3. Click on "Import" and upload the attached zip file
  4. Notice how the malicious PHP file will be written outside of the temp directory, reachable at http://[xenforo]/internal_data/temp/sh.php

Successful exploitation of this vulnerability requires an account with permissions to administer styles.

Should you have any questions, please feel free to reach out.

Best regards,
Egidio Romano
Karma(In)Security

Attachments

J

Jon

Hi Egidio,

Thank you for your report, I have passed this onto our senior dev team to investigate and we will get back to you shortly.

Regards

Jon

E

Egidio Romano

Hi, any update on this one? Did you manage to reproduce the vulnerability?

E

Egidio Romano

Hi, just would like you to know I usually give a deadline disclosure to software vendors, and I'd say in this case 60 days are more than enough to fix this vulnerability. That means I will publish details about this vulnerability on March 2, 2024. Hope you will release a fixed version before that date.

J

Jeremy

Hi Egidio,

I was able to confirm that style and add-on archives containing relative paths were able to escape their container directory and bypass subsequent validation checks. Fortunately, the scope is fairly limited since exploiting this requires an administrator to upload a malicious archive. In future releases, we will skip over any files containing relative paths to mitigate this.

Thank you for the report.

Jeremy

E

Egidio Romano

Hi,

Are you planning to fix this issue in the next XenForo release? And if so, what is the ETA for it?

J

Jeremy

Hi Egidio,

A fix has been implemented and will be available in the next release (2.2.14). We do not have a concrete release date set, but I expect it will be published in early February.

Thanks again for bringing this to our attention and do let us know if you have further questions or concerns.

Jeremy

E

Egidio Romano

Hi there, just noticed today you've released version 2.2.14... However, I don't see any reference/note about the fix for this vulnerability, does that mean the vulnerability is not fixed yet?

J

Jeremy

Hi Egidio,

My apologies for the oversight. Our release notes are automatically generated, and I did not flag this for manual inclusion before they were published. I have added a note and attribution to the announcement.

Jeremy

Trustpilot
Egidio Romano (n0...@gmail.com)
The name used in this ticket will always default to the name of the person who opened the ticket.
You may use Markdown to format your message.
Attach files
Scroll to top