Researchers Discover Critical Vulnerability in PHPFusion CMS

Security researchers have discovered what they described as a critical vulnerability in the relatively widely used PHPFusion open source content management system (CMS).

The authenticated local file inclusion flaw, identified as CVE-2023-2453, allows for remote code execution if an attacker can upload a maliciously crafted “.php” file to a known path on a target system.

It is one of two vulnerabilities that researchers at Synopsys discovered recently in PHPFusion. The other flaw, tracked as CVE-2023-4480, is a moderate-severity bug in the CMS that gives attackers a way to read the contents of files on an affected system and also to write files to arbitrary locations on it.

The vulnerabilities exist in versions 9.10.30 of PHPFusion and earlier. No patch is currently available for either flaw.

No Patch Available Yet

Synopsys said it attempted to contact administrators at PHPFusion multiple times, first via email, then through a vulnerability disclosure process, then GitHub, and finally via a community forum, before disclosing it this week. PHPFusion did not respond to a request for comment from Dark Reading.

PHPFusion is an open source CMS that has been available since 2003. Though it is not as well known as other content management systems such as WordPress, Drupal, and Joomla, some 15 million websites around the world currently use it, according to the project website. Small and midsize businesses often use it for building online forums, community-driven websites, and other online projects.

According to Synopsis, CVE-2023-2453 stems from improper sanitization of certain types of files with tainted filenames. The issue gives attackers a potential way to upload and execute an arbitrary .php file on a vulnerable PHPFusion server.

Conditions for Exploitation

“Exploitation of this vulnerability has effectively two requirements,” says Matthew Hogg, software engineer at Synopsys’ Software Integrity Group, who discovered the vulnerability. One of them is that the attacker needs to be able to authenticate to at least a low-privileged account, and the other is that they need to know the vulnerable endpoint. “By fulfilling both criteria, a malicious actor would be able to craft a payload to exploit this vulnerability,” Hogg says.

Ben Ronallo, vulnerability management engineer at Synopsys, says it’s important to note that an attacker would need to find some way to upload a maliciously crafted .php payload to any location on a vulnerable system. “The attacker would need to review the source code of PHPFusion to identify the vulnerable endpoint,” Ronallo says.

What an attacker can do after exploiting the vulnerability depends on the privileges associated with the PHPFusion user’s account. An attacker with access to administrator credentials, for instance, can read arbitrary files on the underlying operating system. “In the worst case, an attacker could achieve remote code execution (RCE), provided they have some means to upload a payload file to target for inclusion,” he says. “Both cases could result in the theft of sensitive information, and the latter may allow control over the vulnerable server.”

Meanwhile, the less severe bug that Synopsys discovered in PHPFusion (CVE-2023-4480) is tied to an out-of-date dependency in a Fusion file manager component that is accessible via the CMS’s admin panel. An attacker with the privileges of an administrator or super administrator can exploit the vulnerability to either disclose the contents of files on a vulnerable system or write certain types of files to known paths on the server’s file system, Synopsys said.