Code Injection in flatcore/flatcore-cms

Valid

Reported on

Oct 13th 2021


Description

Another code injection payload in link_name.

Proof of Concept

Insert into linkname

${`sleep 10`}

Go to http://[FLATCORE-IP]/flatCore-CMS/content/cache/cache_lastedit.php and see that the page has stopped for 10 seconds.

${} escapes the string, ` switches context to OS commands.

Impact

Blind RCE as admin user.

Occurences

should clean permalinks too

We have contacted a member of the flatcore/flatcore-cms team and are waiting to hear back 2 months ago
haxatron modified their report
2 months ago
Patrick validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick confirmed that a fix has been merged on 2cb02c 2 months ago
Patrick has been awarded the fix bounty
functions.php#L389L397 has been validated