~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Certitude Security Advisory - CSA-2025-0001 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ PRODUCT : Bolt VENDOR : Bolt SEVERITY : Medium AFFECTED VERSION : <5.1.25, <5.2.2 IDENTIFIERS : CVE-2025-25599 PATCH VERSION : 5.1.25, 5.2.2 FOUND BY : William Mark Moody, Certitude Lab ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Introduction ------------ Bolt (https://boltcms.io) is an open-source content management system built using the Symfony PHP framework (https://symfony.com/). During a short security assessment, Certitude identified an arbitrary file read vulnerability. The exploit demonstrated here was tested against a default installation of Bolt using MySQL and NGINX, set up according to the following documentation: - https://docs.boltcms.io/5.2/installation/installation - https://docs.boltcms.io/5.2/installation/webserver/nginx - https://github.com/bolt/project/issues/44 Vulnerability Overview ---------------------- Users with the role 'ROLE_EDITOR', 'ROLE_CHIEF_EDITOR', 'ROLE_ADMIN', or 'ROLE_DEVELOPER' may abuse an insecure temporary file disclosure when uploading an avatar via URL in order to read arbitrary files from the underlying server. Proof of Concept ---------------- The following demonstrates the race condition issue using Burp Suite Professional Intruder: 1. Log into Bolt with a user who has one of the following roles: 'ROLE_EDITOR', 'ROLE_CHIEF_EDITOR', 'ROLE_ADMIN', 'ROLE_DEVELOPER' 2. Inside Burp Suite Professional, prepare an Intruder attack with the type 'Sniper', and the following request: GET /files/tmp/avatarspasswd HTTP/1.1 Host: example.com Connection: close Foo: $$ Note: The dollar signs in the request above represent the payload marker symbols. Set the payload type to 'Numbers' with the following settings and launch the Intruder attack: - From: 1 - To: 10000 - Step: 1 3. Visit 'http://example.com/bolt/profile-edit' 4. Under 'Avatar' click the dropdown arrow on the 'Upload' button and select 'From URL'. Enter 'file:///etc/passwd' and click 'OK'. 5. When this exploit is successful, the contents of the local file '/etc/passwd' can be found in one of the responses from Intruder (the status will be 200). Due to the fact that the temporary file only exists for a few milliseconds, an attacker would likely need to execute multiple attempts until the exploit succeeds. References ---------- - https://certitude.consulting/blog/en/bolt-cms/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25599 Timeline -------- --------------------------------------------------------------------------- Date Text ------------ -------------------------------------------------------------- 2023-12-12 Contacted original maintainer (Bob de Otter) by email 2024-01-18 Project development put on hold due to maintainer's passing 2025-03-06 Project development resumed by new maintainers 2025-03-10 Contacted new maintainers via Slack 2025-03-11 Patches released for 5.1.X and 5.2.X branches 2025-03-13 Released advisory and blog post --------------------------------------------------------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (c) 2025 Certitude Consulting GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~