CVE-2024-25410

Vulnerability

The vulnerability resides in the update_setting.php file of flusity-CMS version 2.33. The file upload functionality for the brand icon does not properly validate file types; it only checks the MIME type but not the file extension, allowing an attacker to upload files with dangerous extensions such as .php. The commit [1] introduces an allowed extensions list (png, jpeg, jpg, gif) to mitigate this issue.

Exploitation

An attacker must first authenticate to the CMS. Default credentials (tester/1234) are provided in the installation. After logging in, the attacker navigates to Core Settings → Settings and selects a file to upload. Using an intercepting proxy, the attacker modifies the request: changes the filename to include a .php extension and replaces the file content with arbitrary PHP code. The crafted POST request is sent to /core/tools/actions/update_setting.php. The uploaded file is stored in the /uploads/ directory [2].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server. This can lead to full compromise of the CMS, including data theft, defacement, privilege escalation, and potential lateral movement within the hosting environment.

Mitigation

The fix is provided in commit [1], which adds a whitelist of allowed file extensions and removes the unique code from the filename. Users should update to the latest version of flusity-CMS or manually apply the patch. As of the publication date, no official release containing the fix has been announced. No workaround is available if the patch is not applied.