Focus on source code security and collect the latest information at home and abroad!
Compiled by: Code Guard
Security researchers have discovered a critical vulnerability in the widely used open source content management system PHPFusion CMS, for which there is currently no patch.
The vulnerability is a verified local file inclusion vulnerability, numbered CVE-2023-2453. If an attacker can upload a maliciously constructed ".php" file on a known path on the target system, it can lead to remote code execution.
This is one of two vulnerabilities recently discovered by Synopsys in PHPFusion. Another vulnerability is CVE-2023-4480, which is a medium-severity vulnerability located in the CMS that can allow attackers to read the contents of files on the affected system and write files to arbitrary locations. These vulnerabilities are found in PHPFusion 9.10.30 and earlier. There are currently no patches for either vulnerability.
No patch
Synopsys stated that it made multiple attempts to contact the administrator of PHPFusion through email, vulnerability disclosure process, GitHub, and community forums but all failed. PHPFusion has not yet commented on this.
PHPFusion is an open source CMS that has been around since 2003. Although it is not as well-known as other content management systems such as WordPress, Drupal and Joomla, it is currently used by approximately 15 million websites around the world. It is commonly used by small and medium-sized businesses to build online forums, community-driven websites, and other online projects.
Synaptics notes that CVE-2023-2453 is caused by improper cleaning of tainted file names by certain file types. An attacker can exploit this vulnerability to upload and execute arbitrary .php files on any PHPFusion server.
Conditions of use
Matthew Hogg, the software engineer who discovered the vulnerability, mentioned that "there are only two requirements to exploit this vulnerability." One is that the attacker needs to be able to authenticate with at least a low-privilege account, and the other is that he needs to know the vulnerable endpoint. He mentioned, "If these two conditions are met, malicious actors will be able to construct a payload and exploit this vulnerability."
Ben Ronallo, a vulnerability management engineer at the company, mentioned that it is important for attackers to find anywhere to upload a maliciously crafted .php payload to a vulnerable system. "Attackers need to view the source code of PHPFusion to identify vulnerable endpoint.”
What an attacker can do after exploiting this vulnerability depends on the permissions associated with the PHPFusion user account. For example, an attacker with access to administrator credentials could read arbitrary files on the underlying operating system. He mentioned, "In the worst case scenario, if the attacker has a way to upload the payload file to the target, remote code execution can be achieved. Both scenarios can lead to the theft of sensitive information, and the latter can lead to vulnerability The attack server is under control."
Meanwhile, another vulnerability of lower severity, CVE-2023-4480, is related to an outdated dependency in the Fusion File Manager component, which is accessible through the CMS's administrator panel. An attacker with administrator or superadmin privileges could exploit this vulnerability to disclose the contents of files on a vulnerable system or to allow certain file types to be written to known paths on the server's file system.
Code Guard trial address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
Recommended reading
XSS vulnerability exists in open source CMS TYPO3
A serious RCE vulnerability exists in the open source dotCMS content management software
Open source CMS Drupal fixes XSS and open redirect vulnerabilities
Original link
https://www.darkreading.com/application-security/researchers-discover-critical-vulnerability-in-phpfusion-cms
Title image: Pexels License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qianxin Code Guard https://codesafe.qianxin.com" when reprinting.
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you think it’s good, just click “Looking” or “Like”~