FlatPress 1.0.3 CSRF Arbitrary File Upload

Title: FlatPress 1.0.3 CSRF Arbitrary File Upload
Advisory ID: ZSL-2016-5328
Type: Local/Remote
Impact: Cross-Site Scripting, System Access
Risk: (4/5)
Release Date: 30.05.2016
Summary
FlatPress is a blogging engine that saves your posts as simple text files. Forget about SQL! You just need some PHP.
Description
The vulnerability is caused due to the improper verification of uploaded files via the Uploader script using 'upload[]' POST parameter which allows of arbitrary files being uploaded in '/fp-content/attachs' directory. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform actions with administrative privileges if a logged-in user visits a malicious web site resulting in execution of arbitrary PHP code by uploading a malicious PHP script file and execute system commands.
Vendor
Edoardo Vacchi - http://www.flatpress.org
Affected Version
1.0.3
Tested On
Apache/2.4.10
PHP/5.6.3
Vendor Status
[04.04.2016] Vulnerability discovered.
[05.04.2016] Vendor contacted.
[06.04.2016] Vendor responds asking more details.
[06.04.2016] Sent details to the vendor.
[11.04.2016] Asked vendor for status update.
[13.04.2016] Working with the vendor.
[29.05.2016] No response from the vendor.
[30.05.2016] Public security advisory released.
PoC
flatpress_csrfupload.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/39870/
[2] https://cxsecurity.com/issue/WLB-2016050143
[3] https://packetstormsecurity.com/files/137248
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/113792
Changelog
[30.05.2016] - Initial release
[31.05.2016] - Added reference [1], [2] and [3]
[12.06.2016] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk