flatCore CMS 1.4.6: Remote Code Execution and Easteregg17 Oct 2017 by Dennis Detering
flatCore is a lightweight Content Management System (CMS) based on PHP and SQLite. It is designed to be as minimalistic as possible, but can be easily extended by its modular structure. We tested the latest stable version 1.4.6 with RIPS and detected, among others, a critical persistent cross-site scripting vulnerability (CVE-2017-1000428) that can be used by an unauthenticated adversary to attack administrators and to execute PHP code on the web server. Further, we found an interesting easteregg.
The ~74,000 lines of code of the flatCore CMS were analyzed in less than 3 minutes. RIPS discovered multiple vulnerabilities ranging from open redirection (CVE-2017-11205) and cross-site scripting (CVE-2017-11204) to SQL injection (CVE-2017-11207), many of them being exploitable as unauthenticated attacker. Furthermore, the use of weak cryptography (CVE-2017-11208) in the user registration, resulting in a bypass of the email confirmation step by guessing the activation token, and a host header injection (CVE-2017-11206) issue, allowing remote attackers to trigger outbound transmission of email containing a malicious link, were identified.
Persistent Cross-Site-Scripting to RCE - CVE-2017-11204
RIPS’ analysis revealed a critical second-order cross-site scripting vulnerability (persistent XSS) within the
In the administration interface of flatCore, the administrator is able to view statistics of the visitors, including the requested query parameters, time of visit, IP address, user agent and referer. Due to the nature of its occurrence, an unauthenticated user is able to control the data being logged.
The following exemplary request shows how to insert the most simple XSS payloads into the
Referer HTTP header values.
Every time a privileged user visits the statistics page at
/acp/acp.php?tn=system&sub=stats, the payload gets triggered.
Just for the fun, we’re adding a bit of obfuscation and inject it into the user agent (incomplete payload):
exploit.php file is created on the server. Uploaded files are publicly stored at
/content/files/[FILENAME] and by accessing our uploaded file, the PHP code is executed on the web server. Thus, this vulnerability allows to fully compromise the web server.
It really depends whether one uses a single or a double quote. Due to a typo in using a single quote for the hash generation within the “reset password” feature of flatCore, all reset tokens are the same:
Anyone can trigger the password reset of any user - and the reset token will always be
55e9d52dee90aaa4096364e73a05bc68. This is not directly exploitable, as a newly generated password is sent to the user’s email address. However, the link generation is based on
$_SERVER[HTTP_HOST], which is a user-controlled parameter. So by manipulating the HTTP
Host header to, for example,
evil.com when requesting a password reset, the specific user will receive an email with a manipulated link, directing to a different domain and thus leaking sensitive information on clicking. This easteregg has already been detected and fixed in build 1.4.7-b74 (stable version released on 2017/09/04)
|2017/07/11||Provided vulnerability details to vendor.|
|2017/07/12||Vendor acknowledged the report.|
|2017/07/13||CVE identifier CVE-2017-1000428 assigned.|
|2017/09/04||Vendor released fixed version 1.4.7|
Multi-order vulnerabilities are hard to detect and usually not discovered by vulnerability scanners. By using static code analysis techniques and inspecting the complete data flow of all processed user input, RIPS detected this persistent cross-site scripting vulnerability, which triggers on a different page within the administration interface. Cross-site scripting vulnerabilities are often underestimated and only associated with a simple text window popping up. As shown in this article, a single cross-site scripting vulnerability can lead to remote code execution and the full compromise of a web application.
We would like to thank the flatCore CMS team for the quick and uncomplicated communication. They addressed all reported vulnerabilities and released a fixed version 1.4.7 that all flatCore users should update to immediately.