exploit the possibilities

flatCore CMS XSS / File Disclosure / SQL Injection

flatCore CMS XSS / File Disclosure / SQL Injection
Posted Jan 13, 2021
Authored by Calvin Phang, Yew Chung Cheah | Site sec-consult.com

flatCore CMS versions prior to 2.0.0 build 139 suffer from cross site scripting, file disclosure, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
advisories | CVE-2021-23835, CVE-2021-23836, CVE-2021-23837, CVE-2021-23838
MD5 | 1fa6af99aeb588403f58ee25830613f4

flatCore CMS XSS / File Disclosure / SQL Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20210113-1 >
=======================================================================
title: Multiple Vulnerabilities
product: flatCore CMS
vulnerable version: < 2.0.0 Build 139
fixed version: Release 2.0.0 Build 139
CVE number: CVE-2021-23835, CVE-2021-23836, CVE-2021-23837, CVE-2021-23838
impact: High
homepage: https://flatcore.org/
found: 2020-11-20
by: Yew Chung Cheah (Office Singapore)
Calvin Phang (Office Singapore)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Atos company
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"flatCore is based on PHP and PDO/SQLite. The Core is as minimalistic as
possible, but can be easily extended by the modular structure. If you are
looking for a solution to edit your website live and with ease, flatCore
may be your buddy."

Source: https://flatcore.org/


Business recommendation:
------------------------
The vendor provides an updated version which should be installed immediately.

An in-depth security analysis performed by security professionals is highly
advised, as the software may be affected from further security issues.


Vulnerability overview/description:
-----------------------------------
1) Reflected Cross-Site Scripting (Authenticated user) (CVE-2021-23838)
A reflected cross-site scripting vulnerability was identified in the 'media_filter'
HTTP request body parameter for the 'acp' interface. The affected parameter
accepts malicious client side script without proper input sanitization. For
example, a malicious user can leverage this vulnerability to steal cookies
from a victim user and perform a session hijacking attack which may then lead to
unauthorized access to the site.

2) Stored Cross-Site Scripting (Authenticated user) (CVE-2021-23836)
A stored cross-site scripting vulnerability was identified in the 'prefs_smtp_psw'
HTTP request body parameter for the 'acp' interface. An admin user can inject
malicious client side script to the affected parameter without any form of
input sanitization. The injected payload will be executed in the browser of a
user whenever one visits the affected module page.

3) Local File Disclosure (Authenticated user) (CVE-2021-23835)
A local file disclosure vulnerability was identified in the 'docs_file'
HTTP request body parameter for the 'acp' interface which can be exploited with
admin access rights. The affected parameter which retrieves the contents of the
specified file was found to be accepting malicious user inputs without proper input
sanitization, thus leading to retrieval of backend server sensitive files, for
example /etc/passwd, sqlite database files, PHP source code etc.

4) Time Based Blind SQL Injection (Authenticated user) (CVE-2021-23837)
A time based blind SQL injection was identified in the 'selected_folder'
HTTP request body parameter for the 'acp' interface. The affected parameter
which retrieves the file contents of the specified folder was found to be
accepting malicious user inputs without proper input sanitization, thus leading
to SQL injection. Database related information can be successfully retrieved.


Proof of concept:
-----------------
1) Reflected Cross-Site Scripting (Authenticated user) (CVE-2021-23838)
An authenticated admin user can exploit this vulnerability by manipulating
the 'media_filter' parameter found in the Files/ Manage Files module.

URL : http://$HOST/acp/acp.php?tn=filebrowser&sub=browse
METHOD : POST
PARAMETER : media_filter
PAYLOAD : aaa%3cscript%3ealert(document.cookie)%3c%2fscript%3ebbb

2) Stored Cross-Site Scripting (Authenticated user) (CVE-2021-23836)
An authenticated admin user can exploit this vulnerability by manipulating
the 'prefs_smtp_psw' parameter found in the System/ E-Mail module.

URL : http://$HOST/acp/acp.php?tn=system&sub=mail
METHOD : POST
PARAMETER : prefs_smtp_psw
PAYLOAD : '%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3eaaabbb

3) Local File Disclosure (Authenticated user) (CVE-2021-23835)
An authenticated admin user can exploit this vulnerability by manipulating
the 'docs_file' parameter found in the help module.

URL : http://$HOST/acp/acp.php
METHOD : POST
PARAMETER : docs_file
PAYLOAD : %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd

4) Time Based Blind SQL Injection (Authenticated user) (CVE-2021-23837)
An authenticated admin user can exploit this vulnerability by manipulating
the 'selected_folder' parameter found in the Files/ Manage Files module.

URL : http://$HOST/acp/acp.php?tn=filebrowser&sub=browse
METHOD : POST
PARAMETER : selected_folder
PAYLOAD : %' AND 8483=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2)))) AND 'eJQr%'='eJQr


Vulnerable / tested versions:
-----------------------------
flatCore CMS version 2.0.0 (Build 122) has been tested, which was the latest
version available at the time of the test. Previous versions may also be affected.


Vendor contact timeline:
------------------------
2020-12-14 | Contacting vendor through support@flatcore.de
2020-12-17 | Advisory sent to the vendor
2020-12-31 | Requesting status update from vendor
2021-01-05 | Vendor replied that the reported issues have been fixed in
version 2.0.0 (Build 139) released at their official GitHub page
2021-01-13 | Release of security advisory.


Solution:
---------
The fixed version 2.0.0 (Build 139) is available for download at:
https://github.com/flatCore/flatCore-CMS


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Yew Chung Cheah, Calvin Phang / @2021

Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close