FlatPress 1.0.3 CSRF Arbitrary File Upload

2016-05-30T00:00:00
ID ZSL-2016-5328
Type zeroscience
Reporter Gjoko Krstic
Modified 2016-05-30T00:00:00

Description

Title: FlatPress 1.0.3 CSRF Arbitrary File Upload
Advisory ID: ZSL-2016-5328
Type: Local/Remote
Impact: Cross-Site Scripting, System Access
Risk: (4/5)
Release Date: 30.05.2016

Summary

FlatPress is a blogging engine that saves your posts as simple text files. Forget about SQL! You just need some PHP.

Description

The vulnerability is caused due to the improper verification of uploaded files via the Uploader script using 'upload[]' POST parameter which allows of arbitrary files being uploaded in '/fp-content/attachs' directory. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform actions with administrative privileges if a logged-in user visits a malicious web site resulting in execution of arbitrary PHP code by uploading a malicious PHP script file and execute system commands.

Vendor

Edoardo Vacchi - <http://www.flatpress.org>

Affected Version

1.0.3

Tested On

Apache/2.4.10
PHP/5.6.3

Vendor Status

[04.04.2016] Vulnerability discovered.
[05.04.2016] Vendor contacted.
[06.04.2016] Vendor responds asking more details.
[06.04.2016] Sent details to the vendor.
[11.04.2016] Asked vendor for status update.
[13.04.2016] Working with the vendor.
[29.05.2016] No response from the vendor.
[30.05.2016] Public security advisory released.

PoC

flatpress_csrfupload.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/39870/>
[2] <https://cxsecurity.com/issue/WLB-2016050143>
[3] <https://packetstormsecurity.com/files/137248>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/113792>

Changelog

[30.05.2016] - Initial release
[31.05.2016] - Added reference [1], [2] and [3]
[12.06.2016] - Added reference [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;