=========================================================================
Subject: Unauthenticated arbitrary file access through path traversal
Product: Totemomail
Vendor: Kiteworks
CVE ID: CVE-2024-28064
CVSS v3.1: 9.8 [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]
Authors: Delphine Peter <delphine.peter@objectif-securite.ch> , Philippe Oechslin <philippe.oechslin@objectif-securite.ch>
Date: 06.05.2024
=========================================================================

Summary 
-------
A path traversal vulnerability in Totemomail 7.0.0 to 8.2.1 allows an unauthenticated 
user to read, write and delete arbitrary files on the remote server.


Details
-------

Totemomail offers a webmail interface for reading and writing e-mails. Users can 
choose between two channels for secure messages: Webmail, which allows to read 
secure messages in Totemo webmail application, and Registered Envelope, which 
consists in sending encrypted secure messages to the recipient's mailbox as HTML 
attachments. When opening the HTML attachment of a Registered Envelope, the user 
must authenticate in order to retrieve the cryptographic material used to 
decrypt the secure message contained in the HTML file.

If such an HTML attachment is opened in a browser that does not have JavaScript 
enabled, the <noscript> part of the HTML page is executed, which sends a GET 
request as follows:

GET /responsiveUI/EnvelopeOpenServlet?envelopeAction=displayLoginChunkedImages&messageId=123_45&templateName=defaultEnvelopeTemplate.vm&useLinkedStyle=false&envelopeRecipient=[REDACTED]&attachment=false&supportsOpenOnlinetrue HTTP/1.1

The parameter messageId in the above request is vulnerable to path traversal 
attacks. When this parameter contains a valid path to a file on the remote 
server, the latter file content is included by the server in the value attribute of 
the HTML tag :
<input type="hidden" id="encryptedContent" name="encryptedContent" value="[REDACTED]"/>

Note that no session cookie is required to send the above GET request.

Thus, unauthenticated users can read arbitrary files on the web server, in 
accordance with the access rights granted to the account executing the 
application. For instance, the file /etc/passwd and the Totemo license key can 
be read by setting messageId to ../../../../etc/passwd and 
../../../../opt/totemomail/conf/license.key respectively. 

We suppose that one can also access secure messages and decryption keys on the 
server, since the application must have read access to such data, but we could 
not confirm this assumption.

After returning the content of a given file, the Totemomail application deletes 
it on the server if it has sufficient access rights. This can lead to Denial of 
Service if a file required by the application, such as the Totemo licence key, 
is deleted.

Furthermore, we noticed another path traversal vulnerability, allowing arbitrary 
write, which was also fixed in the patch released to address the above vulnerability.
The arbitrary file write vulnerability affects the following endpoint, with the 
vulnerable parameter messageId:

GET /responsiveUI/EnvelopeOpenServlet?envelopeAction=storeLoginChunkedImages&messageId=123_45&off=0&payload=[FILE_CONTENT]&size=1234 HTTP/1.1


Vulnerable versions:
--------------------
Tested on Totemo AG totemomail versions 7.0.0 and 8.2.1

Fixed version:
--------------
Totemomail version 8.3.0


Timeline
-------

23.02.24 Discovery
26.02.24 Initial vendor notification
01.03.24 Vendor acknowledgement
01.03.24 Patch available
06.05.24 CVE requested
06.05.24 Advisory publication
18.05.24 CVE assigned

References
------
https://nvd.nist.gov/vuln/detail/CVE-2024-28064
https://www.objectif-securite.ch/advisories/totemomail-path-traversal.txt