CyRC Vulnerability Advisory: CVE-2023-2453 Local File Inclusion in Forum Infusion and CVE-2023-4480 Arbitrary File Read in Fusion File Manager

CVE-2023-2453

There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement. This allows arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a ‘.php’ file payload.

CVE-2023-4480

Due to an out-of-date dependency in the “Fusion File Manager” component accessible through the admin panel, an attacker can send a crafted request that allows them to read the contents of files on the system accessible within the privileges of the running process. Additionally, they may write files to arbitrary locations, provided the files pass the application’s mime-type and file extension validation. 

Exploitation

CVE-2023-2453

An attacker authenticated with “Member”, “Administrator”, or “Super Administrator” privileges can send a crafted HTTP GET request to an endpoint in the “Forum” Infusion with a vulnerable parameter containing traversal sequences to include and execute arbitrary ‘.php’ files on the underlying operating system.

CVE-2023-4480

An attacker that can log into the admin panel of the application via either an “Administrator” or “Super Administrator” account can send HTTP requests containing directory traversal payloads to an endpoint within the “Fusion File Manager” component to either disclose the contents of files or write files from a limited subset of types to known absolute paths on the underlying server’s filesystem. 

Affected software

• PHPFusion 9.10.30 and earlier versions.

Impact

CVE-2023-2453

Exploitation of this vulnerability can lead to remote code execution (RCE) if an attacker can acquire some means of uploading a crafted payload file with the ‘.php’ extension to any known absolute path on the target system.

CVSS Base Score: 8.3 (High)

CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C 

CVE-2023-4480

Exploitation of this vulnerability can lead to arbitrary file read and limited file write for known absolute paths on the host.

CVSS Base Score: 5.2 (Medium)

CVSS 3.1 Vector: CVSS3.1/ AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C 

Remediation

CVE-2023-2453

There is no patch available for this vulnerability. Disabling the “Forum” Infusion through the admin panel removes the endpoint through which this vulnerability is exploited, and so prevents the issue. If the “Forum” Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts.

CVE-2023-4480

There is no patch available for this vulnerability. Technologies such as a web application firewall may help to mitigate exploitation attempts. 

Discovery credit

CVE-2023-2453

This vulnerability was discovered by CyRC researcher Matthew Hogg. 

CVE-2023-4480

This vulnerability was discovered by CyRC researcher Dharani Sri Penumacha. 

Timeline

2023-06-05 – Attempted to disclose issue to vendor via email.

2023-06-13 – Attempted to follow up on initial disclosure communication

2023-06-26 – Attempted to contact via Github.

2023-08-01 – Attempted to contact via community forum. 

2023-09-05 – Public disclosure.

References

https://github.com/PHPFusion/PHPFusion

https://www.phpfusion.com/home.php