SYNC-2023-042301 - Directory Traversal

Severity: Low2023-04-07

Security Advisories

Abstract

A directory traversal vulnerability in Oxygen XML Web Author before 25.0.0.3 build 2023021715 and Oxygen Content Fusion before 5.0.3 build 2023022015 allows an attacker to read files from a WEB-INF directory via a crafted HTTP request. (XML Web Author 24.1.0.3 build 2023021714 and 23.1.1.4 build 2023021715 are also fixed versions.)

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v5.0.2 and olderMedium Oxygen Content Fusion 5.0.3 build 2023022015
Oxygen XML Web Author v25.0.0.2 and olderMedium Oxygen XML Web Author 25.0.0.3 build 2023021715
Oxygen XML Web Author 24.1.0.3 build 2023021714
Oxygen XML Web Author 23.1.1.4 build 2023021715

Mitigation

Oxygen XML Web Author

If for whatever reason you cannot secure your Oxygen XML Web Author service by updating it using the kits above-mentioned, as an alternate solution you can disable caching in Tomcat:

  • locate the context.xml file that is usually located in tomcat/conf/ folder
  • edit the context.xml file and add the following code snippet in the root element: <Resources cachingAllowed="false"/>
  • restart the Tomcat server
Please note that the installation of the kits is the preferred solution, and the workaround should only be considered as a temporary measure until the kits can be used.

Oxygen Content Fusion

If for whatever reason you cannot secure your Oxygen Content Fusion by updating it using the kit above-mentioned, as a security workaround you can disable caching in Tomcat for the Web Author service by following the below steps for Content Fusion 5.0:

  • open a shell (SSH) inside the server where Content Fusion is installed and run the following commands:
    • export VERSION=5.0
    • sudo docker tag oxygenxml/webreviewer-webauthor:v$VERSION oxygenxml/webreviewer-webauthor:v$VERSION-backup
    • sudo docker create --name tmp oxygenxml/webreviewer-webauthor:v$VERSION
    • sudo docker cp tmp:/tomcat/conf/context.xml context-to-fix.xml
    • sed -i 's/<\/Context>/<Resources cachingAllowed="false"\/><\/Context>/g' context-to-fix.xml
    • sudo docker cp context-to-fix.xml tmp:/tomcat/conf/context.xml
    • sudo docker commit tmp oxygenxml/webreviewer-webauthor:v$VERSION
    • sudo docker rm tmp
    • rm -rf context-to-fix.xml
  • restart the server, see this documentation topic.
For Content Fusion 4.1 use the above procedure but instead of export VERSION=5.0 run export VERSION=4.1.

Note that the installation of the kit is the preferred solution, and the workaround should only be considered as a temporary measure until the kits can be used.

Detail

SYNC-2023-042301

Severity: Medium

CVSS Score: 5.3

Using special requests, a remote attacker may read files from WEB-INF directory of Oxygen XML Web Author application. However, by default, this directory does not contain sensitive information so the severity of this issue should be seen as low.

Revision History

2023-04-27 CVE-2023-26559 CVE ID has been assigned for this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
Balisage: The Markup Conference 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor