Security release v2.3.2

March 7, 2023

We were hoping that our next blog post would be the announcement of the big new pretalx 3.0 release (which we still hope to release in the first half of 2023!), but sadly we have one security release to issue beforehand: pretalx v2.3.2 fixes a path traversal vulnerability in the "HTML export" functionality in pretalx.

(Users of pretalx.com don't need to take any action – pretalx.com always has the latest security fixes installed already.)

The vulnerability

In the off-by-default static HTML export, all pages of an event are exported in a single zip archive, so that users can keep backups of their event without having to keep pretalx around, updates and all, and to make sure the pages look like they looked at the time of the event, and don't get updated when pretalx gets updated.

This HTML export includes user-uploaded files, like presentations and slides. Users were able to upload HTML files with malicious content, leading pretalx to read arbitrary files it had access to, and include those files in the HTML export provided to organisers. This way, organisers were able to exfiltrate files from the server pretalx was running on. The same way, organisers were able to trigger file writes, where they could choose to override files with the standard pretalx 404 page content.

Timeline and impact

The two vulnerabilities were discovered by researchers at Sonar, who notified us today at 11:09 a.m CET. Their advisory not only included a detailed reproduction of both issues, but also recommendations for code fixes that we were able to apply to both the last pretalx release and our current development copy. After testing the report and the fix, we released pretalx v2.3.2 at ca. 1:30 p.m. CET and deployed the fix on pretalx.com.

The two vulnerabilities have not been exploited on pretalx.com.

Updates

We urge all self-hosted pretalx instances to update to either pretalx v2.3.2 or the main branch, as documented in our update guide. If you were running pretalx in the insecure and unrecommended development mode, please be advised that the second vulnerability may have opened you to arbitrary file writes and even code execution, depending on your setup. Never run the pretalx development mode in production!

Please follow this blog, our RSS feed, our Twitter account, or a feed of our releases to make sure your pretalx instance is up to date.

We'd like to thank the researchers at Sonar for following our disclosure guidelines and their effort to not only identify, but also remediate these vulnerabilities. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretalx.com.