CyRC Vulnerability Advisory

0

Synopsys researcher have discovered vulnerabilities CVE-2023-2453, CVE-2023-4480 in PHPFusion. 

The Synopsys Cybersecurity Research Center (CyRC) has discovered CVE-2023-2453, an authenticated local file inclusion vulnerability in PHPFusion.

PHPFusion is an open-source content management system (CMS) designed for managing personal or commercial websites and is offered under the GNU Affero General Public License v3.0.

CVE-2023-2453 

There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement. This allows arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a ‘.php’ file payload. 

CVE-2023-4480 

Due to an out-of-date dependency in the “Fusion File Manager” component accessible through the admin panel, an attacker can send a crafted request that allows them to read the contents of files on the system accessible within the privileges of the running process. Additionally, they may write files to arbitrary locations, provided the files pass the application’s mime-type and file extension validation.  

Exploitation 

CVE-2023-2453 

An attacker authenticated with “Member”, “Administrator”, or “Super Administrator” privileges can send a crafted HTTP GET request to an endpoint in the “Forum” Infusion with a vulnerable parameter containing traversal sequences to include and execute arbitrary ‘.php’ files on the underlying operating system. 

CVE-2023-4480 

An attacker that can log into the admin panel of the application via either an “Administrator” or “Super Administrator” account can send HTTP requests containing directory traversal payloads to an endpoint within the “Fusion File Manager” component to either disclose the contents of files or write files from a limited subset of types to known absolute paths on the underlying server’s filesystem. 

Affected software 

  • PHPFusion 9.10.30 and earlier versions. 

Impact 

CVE-2023-2453 

Exploitation of this vulnerability can lead to remote code execution (RCE) if an attacker can acquire some means of uploading a crafted payload file with the ‘.php’ extension to any known absolute path on the target system. 

CVE-2023-4480 

Exploitation of this vulnerability can lead to arbitrary file read and limited file write for known absolute paths on the host. 

Remediation 

CVE-2023-2453 

There is no patch available for this vulnerability. Disabling the “Forum” Infusion through the admin panel removes the endpoint through which this vulnerability is exploited, and so prevents the issue. If the “Forum” Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts. 

CVE-2023-4480 

There is no patch available for this vulnerability. Technologies such as a web application firewall may help to mitigate exploitation attempts. 

Discovery credit 

CVE-2023-2453 

This vulnerability was discovered by CyRC researcher Matthew Hogg. 

CVE-2023-4480 

This vulnerability was discovered by CyRC researcher Dharani Sri Penumacha. 

Timeline  

  • 2023-06-05 – Attempted to disclose issue to vendor via email. 
  • 2023-06-13 – Attempted to follow up on initial disclosure communication 
  • 2023-06-26 – Attempted to contact via Github. 
  • 2023-08-01 – Attempted to contact via community forum. 
  • 2023-09-05 – Public disclosure. 

References 

Share.