Safety researchers have found what they described as a important vulnerability within the comparatively extensively used PHPFusion open supply content material administration system (CMS).
The authenticated native file inclusion flaw, recognized as CVE-2023-2453, permits for distant code execution if an attacker can add a maliciously crafted “.php” file to a identified path on a goal system.
It’s one among two vulnerabilities that researchers at Synopsys found not too long ago in PHPFusion. The opposite flaw, tracked as CVE-2023-4480, is a moderate-severity bug within the CMS that offers attackers a solution to learn the contents of information on an affected system and likewise to put in writing information to arbitrary areas on it.
The vulnerabilities exist in variations 9.10.30 of PHPFusion and earlier. No patch is presently out there for both flaw.
No Patch Accessible But
Synopsys mentioned it tried to contact directors at PHPFusion a number of occasions, first by way of electronic mail, then via a vulnerability disclosure course of, then GitHub, and eventually by way of a neighborhood discussion board, earlier than disclosing it this week. PHPFusion didn’t reply to a request for remark from Darkish Studying.
PHPFusion is an open supply CMS that has been out there since 2003. Although it isn’t as effectively often called different content material administration methods similar to WordPress, Drupal, and Joomla, some 15 million web sites world wide presently use it, in accordance with the mission web site. Small and midsize companies typically use it for constructing on-line boards, community-driven web sites, and different on-line tasks.
In line with Synopsis, CVE-2023-2453 stems from improper sanitization of sure kinds of information with tainted filenames. The difficulty offers attackers a possible solution to add and execute an arbitrary .php file on a weak PHPFusion server.
Circumstances for Exploitation
“Exploitation of this vulnerability has successfully two necessities,” says Matthew Hogg, software program engineer at Synopsys’ Software program Integrity Group, who found the vulnerability. Considered one of them is that the attacker wants to have the ability to authenticate to a minimum of a low-privileged account, and the opposite is that they should know the weak endpoint. “By fulfilling each standards, a malicious actor would be capable of craft a payload to take advantage of this vulnerability,” Hogg says.
Ben Ronallo, vulnerability administration engineer at Synopsys, says it is essential to notice that an attacker would wish to search out some solution to add a maliciously crafted .php payload to any location on a weak system. “The attacker would wish to assessment the supply code of PHPFusion to determine the weak endpoint,” Ronallo says.
What an attacker can do after exploiting the vulnerability relies on the privileges related to the PHPFusion consumer’s account. An attacker with entry to administrator credentials, for example, can learn arbitrary information on the underlying working system. “Within the worst case, an attacker may obtain distant code execution (RCE), supplied they’ve some means to add a payload file to focus on for inclusion,” he says. “Each circumstances may end result within the theft of delicate info, and the latter might permit management over the weak server.”
In the meantime, the much less extreme bug that Synopsys found in PHPFusion (CVE-2023-4480) is tied to an out-of-date dependency in a Fusion file supervisor part that’s accessible by way of the CMS’s admin panel. An attacker with the privileges of an administrator or tremendous administrator can exploit the vulnerability to both disclose the contents of information on a weak system or write sure kinds of information to identified paths on the server’s file system, Synopsys mentioned.