A high-severity vulnerability has been discovered in PHPFusion, an open-source content management system (CMS) used by over 15 million websites worldwide to manage and customize their content and designs.
The authenticated local file inclusion vulnerability, CVE-2023-2453, could lead to remote code execution (RCE), enabling an attacker to access and run malicious commands on the target system.
The Synopsys Cybersecurity Research Centre (CyRC), which uncovered the bug, warned that there are currently no patches available to fix the vulnerability, nor are they aware of any plans by the project owners to create a patch.
CVE-2023-2453 affects Version 9.10.30 and earlier versions of PHPFusion. It has a CVSS Base Score of 8.3, giving it a ‘High’ severity rating.
Synopsys made numerous attempts to disclose the vulnerability to the vendor, via email, Github and the PHPFusion community forum, before making the public disclosure on September 5, 2023.
Matthew Hogg, Vulnerability Analyst, Synopsys Software Integrity Group, told Infosecurity that the team submitted the vulnerabilities to PHPFusion maintainers, receiving an automated response directing them to the PHPFusion forums.
“In doing so, we weren’t able to locate any record of these submissions on the PHPFusion forums. In submitting past vulnerabilities to various projects on behalf of Synopsys researchers over the years, this is the first time that our team encountered this situation,” he noted.
Risk of Data Theft
Synopsys explained that the vulnerability is caused by insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement. This can enable an attacker to include and execute arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed.
For exploitation, the attacker must have “Member,” “Administrator,” or “Super Administrator” privileges. They can then send a crafted HTTP GET request to an endpoint in the “Forum” Infusion with a vulnerable parameter containing traversal sequences to include and execute arbitrary ‘.php’ files on the underlying operating system.
Hogg said that an attacker with access to administrator credentials can read arbitrary files on the underlying operating system, as well as achieve RCE – the latter on the proviso they have a means of uploading a payload file to target for inclusion.
“Both cases could result in the theft of sensitive information, and the latter may allow control over the vulnerable server,” he commented.
The researchers emphasized that there are no known means in PHPFusion through which an attacker can upload and target a ‘.php’ file payload.
As no patch is available for the vulnerability, Hogg advised users to disable the “Forum” infusion through the admin panel to remove the endpoint through which the bug is exploited.
If it is not possible to do this, technologies such as a web application firewall may help to mitigate exploitation attempts. This will “add a layer of defense that may filter out attacks,” according to Hogg.
Second Vulnerability Discovery
The Synopsys team uncovered a second vulnerability in PHPFusion, a medium-severity authenticated arbitrary file read and limited file write flaw, CVE-2023-4480.
In this case, attackers authenticated with “Administrator” or “Super Administrator” privileges can read the contents of any file on the server if the absolute path is known and is accessible within the privileges of the user.
Again, no patch is available for the vulnerability, and Synopsys urged affected companies to utilize technologies like a web application firewall to help protect them.