The Black Duck Cybersecurity Research Center (CyRC) has discovered CVE-2023-2453, an authenticated local file inclusion vulnerability in PHPFusion. PHPFusion is an open-source content management system (CMS) designed for managing personal or commercial websites and is offered under the GNU Affero General Public License v3.0.
There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement. This allows arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a ‘.php’ file payload.
Due to an out-of-date dependency in the “Fusion File Manager” component accessible through the admin panel, an attacker can send a crafted request that allows them to read the contents of files on the system accessible within the privileges of the running process. Additionally, they may write files to arbitrary locations, provided the files pass the application’s mime-type and file extension validation.
An attacker authenticated with “Member”, “Administrator”, or “Super Administrator” privileges can send a crafted HTTP GET request to an endpoint in the “Forum” Infusion with a vulnerable parameter containing traversal sequences to include and execute arbitrary ‘.php’ files on the underlying operating system.
An attacker that can log into the admin panel of the application via either an “Administrator” or “Super Administrator” account can send HTTP requests containing directory traversal payloads to an endpoint within the “Fusion File Manager” component to either disclose the contents of files or write files from a limited subset of types to known absolute paths on the underlying server’s filesystem.
Exploitation of this vulnerability can lead to remote code execution (RCE) if an attacker can acquire some means of uploading a crafted payload file with the ‘.php’ extension to any known absolute path on the target system.
CVSS Base Score: 8.3 (High)
CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
Exploitation of this vulnerability can lead to arbitrary file read and limited file write for known absolute paths on the host.
CVSS Base Score: 5.2 (Medium)
CVSS 3.1 Vector: CVSS3.1/ AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C
There is no patch available for this vulnerability. Disabling the “Forum” Infusion through the admin panel removes the endpoint through which this vulnerability is exploited, and so prevents the issue. If the “Forum” Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts.
There is no patch available for this vulnerability. Technologies such as a web application firewall may help to mitigate exploitation attempts.
This vulnerability was discovered by CyRC researcher Matthew Hogg.
This vulnerability was discovered by CyRC researcher Dharani Sri Penumacha.
2023-06-05 – Attempted to disclose issue to vendor via email.
2023-06-13 – Attempted to follow up on initial disclosure communication
2023-06-26 – Attempted to contact via Github.
2023-08-01 – Attempted to contact via community forum.
2023-09-05 – Public disclosure.
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.