|Requires Admin Access:
|SafeDog Penetration and Defense Lab - Yong Cai
With a user that is authenticated to the backend, intentionally customized bundles can be uploaded that will write files to arbitrary locations on the filesystem.
Should always be running dotCMS as a user that only has access to the parts of the filesystem necessary to run dotCMS. These limited permissions will keep this vulnerability from being used to write files outside of the dotCMS / tomcat directory structure.
Access to vulnerability requires:
The soon to be released 3.7.2 version of dotCMSA fix will be forthcoming that will ensure that files from bundles can only be written to the intended location within dotCMS.
CERT issue CVE-2017-3188