[Japanese]

JVNDB-2018-000036

Joruri Gw vulnerable to arbitrary file upload

Overview

Joruri Gw provided by SiteBridge Inc. is groupware which runs on Ruby on Rails. Joruri Gw contains a vulnerability that may allow an attacker to upload arbitrary files (CWE-434).

Shoji Baba of Kobe Digital Labo, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.5 (Low) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 3.5 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


SiteBridge Inc.
  • Joruri Gw Ver 3.2.0 and earlier

Impact

A user may upload arbitrary files.
When PHP code execution is enabled on the server, a user may execute arbitrary PHP code by uploading PHP files.
Solution

[Disable Unnecessary Functions from the System]
Disable PHP code execution on the server if it is not necessary.
Configure the server with only the necessary functions.

[Change Server Settings]
If PHP code execution features are required, configure the server to prevent uploaded PHP files being executed.
installation manual of Joruri Gw Ver.2.3.1 and later contains the following (example configuration for Apache httpd);

#Insert the following when PHP execution feature is enabled on the server.
<Directory "/var/share/jorurigw/public">
php_admin_flag engine off
</Directory>
Vendor Information

SiteBridge Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2018-0568
References

  1. JVN : JVN#95589314
  2. National Vulnerability Database (NVD) : CVE-2018-0568
Revision History

  • [2018/04/26]
      Web page was published
  • [2018/08/30]
      References : Contents were added