Critical Security Flaws Uncovered in PHPFusion CMS: CVE-2023-2453 and CVE-2023-4480

September 5, 2023

A team of researchers at Synopsys has identified a critical vulnerability in the PHPFusion open source content management system (CMS). The flaw, known as CVE-2023-2453, is an authenticated local file inclusion vulnerability that allows an attacker to execute remote code if they can upload a malicious '.php' file to a known location on the target system. This is one of two vulnerabilities that Synopsys recently discovered in PHPFusion. The second vulnerability, labelled as CVE-2023-4480, is a moderate-severity bug that enables attackers to read and write files in arbitrary locations on the affected system. Both vulnerabilities are present in PHPFusion versions 9.10.30 and earlier, with no patches currently available.

Despite multiple attempts to reach out to PHPFusion administrators through various channels, Synopsys received no response. PHPFusion is an open source CMS that has been in use since 2003. While it is not as widely recognized as other CMSs like WordPress, Drupal, and Joomla, it is used by around 15 million websites worldwide, as per the project's website. It is commonly utilized by small and medium-sized businesses for creating online forums, community-driven websites, and other digital projects.

The vulnerability CVE-2023-2453 is due to the improper sanitization of certain file types with tainted filenames. This allows attackers to upload and execute an arbitrary .php file on a vulnerable PHPFusion server. 'Exploitation of this vulnerability has effectively two requirements,' says Matthew Hogg, a software engineer at Synopsys' Software Integrity Group. The attacker needs to be able to authenticate to a low-privileged account and be aware of the vulnerable endpoint. Fulfilling both criteria, a malicious actor could exploit this vulnerability.

Ben Ronallo, a vulnerability management engineer at Synopsys, emphasizes that an attacker would need to somehow upload a malicious .php payload to a location on the vulnerable system. The attacker would need to examine the PHPFusion source code to identify the vulnerable endpoint. The potential actions an attacker can take after exploiting the vulnerability depends on the privileges associated with the PHPFusion user's account. In the worst-case scenario, an attacker could achieve remote code execution (RCE), given they have a way to upload a payload file for inclusion. This could result in the theft of sensitive information or even control over the vulnerable server.

The less severe bug discovered in PHPFusion, CVE-2023-4480, is related to an outdated dependency in a Fusion file manager component that can be accessed via the CMS' admin panel. An attacker with administrator or super administrator privileges can exploit this vulnerability to disclose the contents of files on a vulnerable system or write certain types of files to known paths on the server's filesystem, according to Synopsys.

Latest News

• Emerging Cloud Attack Vector: A Case Study on MinIO Exploitation
• APT34 Linked to New Phishing Attacks Deploying SideTwist Backdoor and Agent Tesla Variant
• Google Patches Android Zero-Day Exploit with September 2023 Security Updates
• Ukraine's CERT Foils APT28 Cyberattack Aimed at Energy Infrastructure
• MinIO Storage System Exploited by Hackers to Infiltrate Corporate Networks