CVE-2024-25410: Unrestricted File Upload Vulnerability in Flusity-CMS 2.33

A new vulnerability has been discovered in Flusity-CMS 2.33, a popular content management system. This vulnerability is assigned as CVE-2024-25410. The vulnerability allows attackers to upload unrestricted files of dangerous types to the server, potentially leading to remote code execution and a complete compromise of the affected system. In this long-read post, we will deep dive into the details of this vulnerability. You will learn how the problem occurs, how you can exploit it, and what steps you can take to protect your Flusity-CMS installation.

Vulnerability Details

Flusity-CMS 2.33 suffers from a critical vulnerability in its update_setting.php file. This issue is caused by inadequate checking and filtering of file types during uploads. Consequently, attackers can upload malicious files, like PHP or other executable scripts, which can then be executed by accessing their URL.

To exploit this vulnerability, an attacker simply needs to upload a dangerous file with a disguised extension and access the file on the web server.

Here is an example code snippet highlighting the flaw in Flusity-CMS 2.33's update_setting.php file

if( isset( $_POST['submit'] ) ){
// ... Code omitted for brevity ...
	$filename=$_FILES['image']['name'];
	$tmpname=$_FILES['image']['tmp_name'];
	$folder='../logo/'.$filename;
	move_uploaded_file($tmpname, $folder);
}

In the above code, the $filename variable is derived directly from the user's input (filename), and there is no adequate filtering or validation to determine whether the submitted file is of an allowed type or not. As a result, an attacker can bypass any checks and upload a dangerous script.

Create a malicious PHP file, such as malicious.php.

2. Modify the file extension of the malicious file to bypass any extension checks. For example, change malicious.php to malicious.jpg.php.

Upload the malicious file.

5. Determine the path and access the uploaded malicious file through a web browser, such as http://example.com/logo/malicious.jpg.php.

6. This would execute the PHP code inside the malicious file, potentially leading to complete system compromise depending on the code uploaded.

You can read more about this vulnerability and access the original references below

1. Original Vulnerability Report
2. Flusity-CMS Official Website

Mitigation

To protect your Flusity-CMS installation from this vulnerability, we recommend taking the following steps:

1. Immediately upgrade Flusity-CMS to the latest version, which includes a patch for this vulnerability.

2. If upgrading is not an immediate option, you can manually modify the update_setting.php file to include appropriate validation and filtering of allowed file types.

For example, you can use the following code snippet to check if the uploaded file is an image

$allowed_image_types = array('image/jpeg', 'image/gif', 'image/png');
if (in_array($_FILES['image']['type'], $allowed_image_types)){
	// Upload and process file
}

Conclusion

Flusity-CMS 2.33 is vulnerable to an unrestricted file upload attack. The vulnerability (CVE-2024-25410) allows an attacker to upload dangerous files, like PHP or other executable scripts, which can then be executed by accessing their URL, leading to a complete system compromise. To fix the issue, users should upgrade their Flusity-CMS installation to the latest version or modify the update_setting.php file to include appropriate validation and filtering of allowed file types.

Timeline

Published on: 02/26/2024 16:27:58 UTC
Last modified on: 04/03/2024 21:15:31 UTC