Php Remote file Inclusion and RCE in flatpressblog/flatpress
Valid
Reported on
Oct 4th 2022
Description
flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading PHP files, the users can perform Php Remote file Inclusion attack and gain RCE. Copy the following code and save as test.Php (note the uppercase).
Proof of Concept (test.Php)
test<?php phpinfo(); ?>
- login to http://demos4.softaculous.com/FlatPresseidiiohclz/admin.php?p=uploader&action=default
- go to uploader and upload this php file
- go to the media manager and click on the php file or open from the direct link
- http://demos4.softaculous.com/FlatPresseidiiohclz/admin.php?p=uploader&action=mediamanager
- http://demos4.softaculous.com/FlatPresseidiiohclz/fp-content/attachs/test.php
- Php RCE!
if you need more specific information, feel free to contact me.
Proof of Concept
test<?php phpinfo(); ?>
Impact
Successful exploitation of PHP file inclusion may result in information disclosure or compromise of the vulnerable system. A remote attacker can read and write files or execute arbitrary code on the target system with privileges of the web server. In this case we can do all of this things.
We are processing your report and will contact the
flatpressblog/flatpress
team within 24 hours.
6 months ago
We have contacted a member of the
flatpressblog/flatpress
team and are waiting to hear back
6 months ago
We have sent a
follow up to the
flatpressblog/flatpress
team.
We will try again in 7 days.
6 months ago
We have sent a
second
follow up to the
flatpressblog/flatpress
team.
We will try again in 10 days.
6 months ago
We have sent a
third and final
follow up to the
flatpressblog/flatpress
team.
This report is now considered stale.
5 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation