A critical vulnerability has been found in the PHPFusion open source content management system (CMS), according to security researchers. The flaw, known as CVE-2023-2453, is an authenticated local file inclusion vulnerability that allows for remote code execution. In other words, if an attacker can upload a specially crafted “.php” file to a specific location on a target system, they can execute arbitrary code.
This vulnerability is one of two recently discovered by researchers at Synopsys. The second flaw, labeled CVE-2023-4480, is a moderate-severity bug that enables attackers to read the contents of files on an affected system and write files to arbitrary locations.
Both vulnerabilities exist in PHPFusion versions 9.10.30 and earlier, and as of now, no patches are available for either issue. Synopsys made multiple attempts to contact PHPFusion administrators before disclosing the vulnerabilities, but there has been no response from the CMS platform.
PHPFusion is an open source CMS that has been in existence since 2003. While not as popular as other CMS platforms like WordPress, Drupal, and Joomla, it is still utilized by approximately 15 million websites worldwide. It is commonly chosen by small and midsize businesses for creating online forums, community-driven websites, and other similar projects.
According to Synopsys, the CVE-2023-2453 vulnerability occurs due to inadequate sanitization of certain file types with tainted filenames. This weakness allows attackers to potentially upload and execute arbitrary .php files on vulnerable PHPFusion servers.
Matthew Hogg, a software engineer at Synopsys, explained that exploiting this vulnerability requires fulfilling two criteria. First, the attacker needs to authenticate to a low-privileged account, and second, they must know the vulnerable endpoint. By meeting both requirements, a malicious actor can craft a payload to exploit the flaw.
Ben Ronallo, a vulnerability management engineer at Synopsys, emphasized that an attacker must find a way to upload a maliciously crafted .php payload to any location on a vulnerable system. Additionally, they need to review PHPFusion’s source code to identify the vulnerable endpoint.
The actions an attacker can take after exploiting this vulnerability depend on the privileges associated with the PHPFusion user’s account. For example, if an attacker gains access to administrator credentials, they can read arbitrary files on the underlying operating system. In the worst-case scenario, remote code execution is possible, potentially resulting in the theft of sensitive information or control over the vulnerable server.
Synopsys also discovered another vulnerability, CVE-2023-4480, in PHPFusion. This bug is related to an out-of-date dependency in a Fusion file manager component accessible through the CMS’s admin panel. Exploiting this flaw allows an attacker with administrator or super administrator privileges to disclose file contents or write specific file types to known paths on the server’s file system.
In conclusion, the PHPFusion CMS is currently plagued by two vulnerabilities, one of which is critical. While the vulnerabilities have been disclosed, no patches are available yet. Website owners and administrators using PHPFusion should stay vigilant and implement security measures to mitigate the risk until a fix is released.