CVE-2019-8903
published 2019-02-18CVE-2019-8903: index.js in Total.js Platform before 3.2.3 allows path traversal.
PriorityP271high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
72.06%
99.4th percentile
index.js in Total.js Platform before 3.2.3 allows path traversal.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| totaljs | total.js | < 3.2.3 | 3.2.3 |
| totaljs | total.js | >= 0 < 3.2.3 | 3.2.3 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/var/www/html/index.html↗
- →Detect path traversal attempts using URL-encoded dot-dot sequences (`.%2e/`) in HTTP GET requests to Total.js servers. A successful exploit returns HTTP 200 with file contents. ↗
- →Response body containing 'apache2.conf' in reply to a traversal request is a strong indicator of successful exploitation. ↗
- →The vulnerability resides in index.js of Total.js Platform. Monitor requests for URL-encoded traversal patterns targeting static file extensions served by the framework: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml, woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache, manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic. ↗
- ·The Metasploit module targets versions prior to 3.2.4, while NVD and the Nuclei template reference the fix as version 3.2.3. Ensure detection coverage applies to all Total.js versions before 3.2.4. ↗
- ·The traversal payload uses URL-encoded forward-slash sequences (`.%2e/`) rather than classic `../` sequences, so WAF/IDS rules must account for this encoding variant. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Path Traversal in total.js
osv·2019-02-20
CVE-2019-8903 [HIGH] Path Traversal in total.js
Path Traversal in total.js
Affected versions of `total.js` are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files outside the `/public` folder by using relative paths.
The files served are limited to these file types: `flac`, `jpg`, `jpeg`, `png`, `gif`, `ico`, `js`, `css`, `txt`, `xml`, `woff`, `woff2`, `otf`, `ttf`, `eot`, `svg`, `zip`, `rar`, `pdf`, `docx`, `xlsx`, `doc`, `xls`, `html`, `htm`, `appcache`, `manifest`, `map`, `ogv`, `ogg`, `mp4`, `mp3`, `webp`, `webm`, `swf`, `package`, `json`, `md`, `m4v`, `jsx`, `heif`, `heic`.
## Recommendation
- If you are using version 2.1.x, upgrade to 2.1.1 or later.
- If you are using version 2.2.x, upgrade to 2.2.1 or later.
- If you are using version 2.3.x, upgrade to 2.3.1 or late
GHSA
Path Traversal in total.js
ghsa·2019-02-20
CVE-2019-8903 [HIGH] CWE-22 Path Traversal in total.js
Path Traversal in total.js
Affected versions of `total.js` are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files outside the `/public` folder by using relative paths.
The files served are limited to these file types: `flac`, `jpg`, `jpeg`, `png`, `gif`, `ico`, `js`, `css`, `txt`, `xml`, `woff`, `woff2`, `otf`, `ttf`, `eot`, `svg`, `zip`, `rar`, `pdf`, `docx`, `xlsx`, `doc`, `xls`, `html`, `htm`, `appcache`, `manifest`, `map`, `ogv`, `ogg`, `mp4`, `mp3`, `webp`, `webm`, `swf`, `package`, `json`, `md`, `m4v`, `jsx`, `heif`, `heic`.
## Recommendation
- If you are using version 2.1.x, upgrade to 2.1.1 or later.
- If you are using version 2.2.x, upgrade to 2.2.1 or later.
- If you are using version 2.3.x, upgrade to 2.3.1 or late
No detection rules found.
Metasploit
Total.js prior to 3.2.4 Directory Traversal
metasploit
Total.js prior to 3.2.4 Directory Traversal
Total.js prior to 3.2.4 Directory Traversal
This module check and exploits a directory traversal vulnerability in Total.js prior to 3.2.4. Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml, woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache, manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic
Nuclei
Totaljs <3.2.3 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2019-8903 [HIGH] Totaljs <3.2.3 - Local File Inclusion
Totaljs <3.2.3 - Local File Inclusion
Total.js Platform before 3.2.3 is vulnerable to local file inclusion.
Template:
id: CVE-2019-8903
info:
name: Totaljs <3.2.3 - Local File Inclusion
author: madrobot
severity: high
description: Total.js Platform before 3.2.3 is vulnerable to local file inclusion.
impact: |
An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or launch further attacks.
remediation: |
Upgrade Totaljs to version 3.2.3 or later to fix the LFI vulnerability.
reference:
- https://blog.certimetergroup.com/it/articolo/security/total.js-directory-traversal-cve-2019-8903
- https://github.com/totaljs/framework/commit/c37cafbf3e379a98db71c1125533d1e8d5b5aef7
- https://github.com/totaljs/framework/commit/de16238d13848149f5d1dae51f54e397a525
No writeups or analysis indexed.
https://blog.certimetergroup.com/it/articolo/security/total.js-directory-traversal-cve-2019-8903https://github.com/totaljs/framework/commit/c37cafbf3e379a98db71c1125533d1e8d5b5aef7https://github.com/totaljs/framework/commit/de16238d13848149f5d1dae51f54e397a525932bhttps://blog.certimetergroup.com/it/articolo/security/total.js-directory-traversal-cve-2019-8903https://github.com/totaljs/framework/commit/c37cafbf3e379a98db71c1125533d1e8d5b5aef7https://github.com/totaljs/framework/commit/de16238d13848149f5d1dae51f54e397a525932b
2019-02-18
Published