14 DAY TRIAL // A new revision has been released for ShareLaTeX real-time collaborative solution, which fixes a vulnerability that allows an attacker to execute commands on the server.
ShareLateX is a server-based application that allows collaboration on LaTeX documents for different groups. A professional version is available, ShareLaTeX Server Pro, with administration features and increased security. However, the most prevalent edition is the free one.
Insufficient sanitization of command elements
A security advisory from the Computer Emergency Response Team (CERT) division at the Carnegie Mellon University informs that one vulnerability in ShareLateX versions earlier than 0.1.3 can be exploited by an attacker to execute commands on the server with the same permissions as the ShareLateX process.
Tracked as CVE-2015-0934, the security flaw is the result of improper sanitization of elements (backticks in the name of the files) used in a command.
Second weakness mitigated by changing the configuration file
A second vulnerability (CVE-2015-0933) has also been identified by security researchers and it offers a potential attacker the possibility to obtain information about other users or the server machine the software runs on.
This is a path traversal glitch and could be leveraged by including a valid absolute path name in a document and then passing it to the “latex” process; the result would be a document that includes the content of the file specified in the path.
In this case, updating to the latest version of ShareLaTeX does not eliminate the risk and mitigation consists in modifying the “openin_any” setting to paranoid (“p”) in LaTeX configuration file (texmf.cnf) on the server running ShareLaTeX; the effect is a restriction for reading files in the local directory and of the LaTeX system data.
Both vulnerabilities can be exploited remotely if the user is authenticated. However, the CERT advisory warns that in ShareLaTeX 0.1.3 user authentication requires registration of an email address without the approval of a moderator or administrator. As such, an authenticated user can remain anonymous.