← Advisories

FlatPress 1.0.3 CSRF Arbitrary File Upload

High
Advisory ID
ZSL-2016-5328
Release Date
30 May 2016
Vendor
Edoardo Vacchi - http://www.flatpress.org
Affected Version
1.0.3
CVE
N/A
Tested On
Apache/2.4.10, PHP/5.6.3
Summary

FlatPress is a blogging engine that saves your posts as simple text files. Forget about SQL! You just need some PHP.

Description

The vulnerability is caused due to the improper verification of uploaded files via the Uploader script using 'upload[]' POST parameter which allows of arbitrary files being uploaded in '/fp-content/attachs' directory. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform actions with administrative privileges if a logged-in user visits a malicious web site resulting in execution of arbitrary PHP code by uploading a malicious PHP script file and execute system commands.

Proof of Concept
flatpress_csrfupload.htmlTXT
Disclosure Timeline
04.04.2016Vulnerability discovered.
05.04.2016Vendor contacted.
06.04.2016Vendor responds asking more details.
06.04.2016Sent details to the vendor.
11.04.2016Asked vendor for status update.
13.04.2016Working with the vendor.
29.05.2016No response from the vendor.
30.05.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/39870/
[2]https://cxsecurity.com/issue/WLB-2016050143
[3]https://packetstormsecurity.com/files/137248
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/113792
Changelog
30.05.2016Initial release
31.05.2016Added reference [1], [2] and [3]
12.06.2016Added reference [4]