CVE-2016-0784
medium
CVSS v3
6.5
CVSS v4 NEW
โ
VIR risk
7.5
Description
Apache OpenMeetings Directory Traversal vulnerability
Predictions
Exploit likelihood
75%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' File Directory Traversal
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0
Description:
The Import/Export System Backups functionality in the OpenMeetings
Administration menu (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path
traversal via specially crafted file names within ZIP archives.
By uploading an archive containing a file named ../../../public/hello.txt will write
the file "hello.txt" to the http://domain:5080/openmeetings/public/ directory. This could
be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd party
integrated executable) with a shell script, which would be executed the next time an image
file is uploaded and imagemagick is invoked.
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
Apache OpenMeetings Team
--
WBR
Maxim aka solomaxPackage impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.openmeetings:openmeetings-install | >=1.9.0,<3.1.1 | 3.1.1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | openmeetings | {"endIncluding":"3.1.0"} | |
References
- http://haxx.ml/post/141655340521/all-your-meetings-are-belong-to-us-remote-code
- http://openmeetings.apache.org/security.html
- http://packetstormsecurity.com/files/136484/Apache-OpenMeetings-3.1.0-Path-Traversal.html
- http://www.openwall.com/lists/oss-security/2016/03/25/2
- http://www.securityfocus.com/archive/1/537929/100/0/threaded
- https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG
- https://www.exploit-db.com/exploits/39642/
- https://nvd.nist.gov/vuln/detail/CVE-2016-0784
- https://github.com/apache/openmeetings/commit/fbab8891d96f3352c37f1be303d9c9a685aa6847
- https://github.com/apache/openmeetings
- https://web.archive.org/web/20160330085718/http://haxx.ml/post/141655340521/all-your-meetings-are-belong-to-us-remote-code
- https://web.archive.org/web/20160617190447/https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG
- https://web.archive.org/web/20201209041006/http://www.securityfocus.com/archive/1/537929/100/0/threaded
- https://web.archive.org/web/20201221104133/http://packetstormsecurity.com/files/136484/Apache-OpenMeetings-3.1.0-Path-Traversal.html
- https://www.exploit-db.com/exploits/39642
CWEs
CWE-22
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.