Php Remote file Inclusion and RCE in flatpressblog/flatpress

Valid

Reported on

Oct 4th 2022


Description

flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading PHP files, the users can perform Php Remote file Inclusion attack and gain RCE. Copy the following code and save as test.Php (note the uppercase).

Proof of Concept (test.Php)

test<?php phpinfo(); ?>

  1. login to http://demos4.softaculous.com/FlatPresseidiiohclz/admin.php?p=uploader&action=default
  2. go to uploader and upload this php file
  3. go to the media manager and click on the php file or open from the direct link
  4. http://demos4.softaculous.com/FlatPresseidiiohclz/admin.php?p=uploader&action=mediamanager
  5. http://demos4.softaculous.com/FlatPresseidiiohclz/fp-content/attachs/test.php
  6. Php RCE!

uploaded! Executed!

if you need more specific information, feel free to contact me.

Proof of Concept

test<?php phpinfo(); ?>

Impact

Successful exploitation of PHP file inclusion may result in information disclosure or compromise of the vulnerable system. A remote attacker can read and write files or execute arbitrary code on the target system with privileges of the web server. In this case we can do all of this things.

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. a year ago
We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back a year ago
We have sent a follow up to the flatpressblog/flatpress team. We will try again in 7 days. a year ago
We have sent a second follow up to the flatpressblog/flatpress team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the flatpressblog/flatpress team. This report is now considered stale. a year ago
flatpressblog/flatpress maintainer validated this vulnerability 9 months ago
Hakiduck has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
flatpressblog/flatpress maintainer marked this as fixed in 1.3 with commit c30d52 9 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
flatpressblog/flatpress maintainer published this vulnerability 9 months ago
to join this conversation