Multiple High Risk Vulnerabilities In flatCore CMS

Title

Multiple Vulnerabilities

Product

flatCore CMS

Vulnerable Version

< 2.0.0 Build 139

Fixed Version

Release 2.0.0 Build 139

CVE Number

CVE-2021-23835, CVE-2021-23836, CVE-2021-23837, CVE-2021-23838

Impact

high

Found

20.11.2020

By

Yew Chung Cheah (Office Singapore), Calvin Phang (Office Singapore) | SEC Consult Vulnerability Lab

flatCore CMS suffers from multiple vulnerabilities such as reflected and stored cross site scripting, local file disclosure and time based blind SQL injection. Users of the application can be attacked (e.g. session hijacking), files of the operating system, such as /etc/passwd, and information from the database can be retrieved.

Vendor description

"flatCore is based on PHP and PDO/SQLite. The Core is as minimalistic as possible, but can be easily extended by the modular structure. If you are looking for a solution to edit your website live and with ease, flatCore may be your buddy."

Source: https://flatcore.org/

 

Business recommendation

The vendor provides an updated version which should be installed immediately. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues.

 

Vulnerability Overview / Description

1) Reflected Cross-Site Scripting (Authenticated user) (CVE-2021-23838)

A reflected cross-site scripting vulnerability was identified in the 'media_filter' HTTP request body parameter for the 'acp' interface. The affected parameter accepts malicious client side script without proper input sanitization. For example, a malicious user can leverage this vulnerability to steal cookies from a victim user and perform a session hijacking attack which may then lead to unauthorized access to the site.


2) Stored Cross-Site Scripting (Authenticated user) (CVE-2021-23836)

A stored cross-site scripting vulnerability was identified in the 'prefs_smtp_psw' HTTP request body parameter for the 'acp' interface. An admin user can inject malicious client side script to the affected parameter without any form of input sanitization. The injected payload will be executed in the browser of a user whenever one visits the affected module page.


3) Local File Disclosure (Authenticated user) (CVE-2021-23835)

A local file disclosure vulnerability was identified in the 'docs_file' HTTP request body parameter for the 'acp' interface which can be exploited with admin access rights. The affected parameter which retrieves the contents of the specified file was found to be accepting malicious user inputs without proper input sanitization, thus leading to retrieval of backend server sensitive files, for example /etc/passwd, sqlite database files, PHP source code etc.


4) Time Based Blind SQL Injection (Authenticated user) (CVE-2021-23837)

A time based blind SQL injection was identified in the 'selected_folder' HTTP request body parameter for the 'acp' interface. The affected parameter which retrieves the file contents of the specified folder was found to be accepting malicious user inputs without proper input sanitization, thus leading to SQL injection. Database related information can be successfully retrieved.

 

Proof Of Concept

 

1) Reflected Cross-Site Scripting (Authenticated user) (CVE-2021-23838)

An authenticated admin user can exploit this vulnerability by manipulating the 'media_filter' parameter found in the Files/ Manage Files module.

URL : http:// $HOST/acp/acp.php?tn=filebrowser&sub=browse
METHOD : POST
PARAMETER : media_filter
PAYLOAD : aaa%3cscript%3ealert(document.cookie)%3c%2fscript%3ebbb


2) Stored Cross-Site Scripting (Authenticated user) (CVE-2021-23836)

An authenticated admin user can exploit this vulnerability by manipulating the 'prefs_smtp_psw' parameter found in the System/ E-Mail module.

URL : http:// $HOST/acp/acp.php?tn=system&sub=mail
METHOD : POST
PARAMETER : prefs_smtp_psw
PAYLOAD : '%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3eaaabbb

 

3) Local File Disclosure (Authenticated user) (CVE-2021-23835)

An authenticated admin user can exploit this vulnerability by manipulating the 'docs_file' parameter found in the help module.

URL : http:// $HOST/acp/acp.php
METHOD : POST
PARAMETER : docs_file
PAYLOAD : %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd


4) Time Based Blind SQL Injection (Authenticated user) (CVE-2021-23837)

An authenticated admin user can exploit this vulnerability by manipulating the 'selected_folder' parameter found in the Files/ Manage Files module.

URL : http:// $HOST/acp/acp.php?tn=filebrowser&sub=browse
METHOD : POST
PARAMETER : selected_folder
PAYLOAD : %' AND 8483=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2)))) AND 'eJQr%'='eJQr

 

Vulnerable / Tested Versions

flatCore CMS version 2.0.0 (Build 122) has been tested, which was the latest version available at the time of the test. Previous versions may also be affected.

 

Vendor Contact Timeline

2020-12-14 Contacting vendor through support@flatcore.de
2020-12-17 Advisory sent to the vendor
2020-12-31 Requesting status update from vendor
2021-01-05 Vendor replied that the reported issues have been fixed in version 2.0.0 (Build 139) released at their official GitHub page
2021-01-13 Release of security advisory.

Solution

The fixed version 2.0.0 (Build 139) is available for download at: https://github.com/flatCore/flatCore-CMS

 

Workaround

None

 

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF Yew Chung Cheah, Calvin Phang / @2021

Contact

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?