AI PRP: Request CVE-2024-5982 Path Traversal Causes Arbitrary Upload (RCE), Arbitrary Directory Creation, and File Content Leakage (First Column of CSVs) in chuanhuchatgpt

[maoning]

Reference: https://sightline.protectai.com/vulnerabilities/2cbac1ac-2561-4f8e-8854-7022973f7422/assess

Require further research in terms of type of payload can be used for vuln verification, should achieve detection effectiveness while minimizing state changing actions on the target system.

Please read the rules of engagement first at #409.

[OccamsXor]

Hi @maoning,

I want to help with this. Can you assign this issue to me?

[maoning]

@OccamsXor There are 3 issues assigned to you: https://github.com/google/tsunami-security-scanner-plugins/issues?q=is%3Aissue%20state%3Aopen%20assignee%3AOccamsXor, could you follow up on #434 and confirm whether you still want to work on the other 2 first?

[OccamsXor]

@maoning this is the current status of 3 issues assigned to me:
#402

Hi @OccamsXor,

We are not completely sure on whether we would like to continue with that product or CVE. To help us make a decision, would you be willing to contribute to fingerprints for Craft CMS? If so, please open a new issue and I will be sure to accept it right away.

Thank you, ~tooryx

#406
I sent PR on March 22. Didn't recieve any updates until September. I don't have currently environment to test this PR.

#511

Hi @OccamsXor,

No, currently Tsunami does not have such capability. I will chat with the rest of the team to see if we can find a solution for this.

~tooryx

I want to prioritize and help with this issue.

[maoning]

@OccamsXor Thank you for updating the fingerprint. I have updated the status for #511. You can start working on this issue and please complete the following tasks:

• Vulnerability research
• Provide testbed at https://github.com/google/security-testbeds/
• Fill in our participation form and create pull request for your implementation.