Hello and welcome to the Wednesday, July 19th, 2020,

edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Our first scene URL feature did discover an interesting attack today against the Staggle navigation for

GERA menus and themes. This is a plugin for Gira that does implement some sort of nicer

design options for GERA make it look prettier. Well, the problem is in March, there were two

vulnerabilities disclosed in this particular plugin CVE 20203-26255 as well as CVE 20203-26256.

Both vulnerabilities are directory traversal vulnerabilities, just in different parts of the

particular plugin, and well, this can be used to read arbitrary files on the file system

often affected GERA server. We see it being used to, first of all, read Etsy password, but then also DBconfig.

comfix.xml password.

The second file is used by Gira to store database credentials.

So that's certainly something if that leaks, that could potentially be a problem.

And if you see the exploit URLs, well, it's pretty straightforward.

It's just a simple file name parameter that you have to hit with the right number of dot dots

to basically end up in the route path.

Since this particular vulnerability was made public,

we sort of saw off and on a couple of hits against related URLs.

However, in the last three days,

it really sort of has taken off a little bit

and reached the threshold where our first seen URL feature

did flag this as something new and of interest.

...