Secunia

Some vulnerabilities have been discovered in FlatnuX CMS, which can be exploited by malicious people to disclose sensitive information or conduct cross-site scripting attacks and by malicious users to compromise a vulnerable system.

1) Input passed to the "module" parameter in sections/02_Flatforum/search.php and sections/08_Files/search.php, to the "_FNVMOD" parameter in sections/06_Download/section.php, the "_FN[vmod]" parameter in sections/10_Login/section.php and none_Control_Center/section.php, and to the "_FN[theme]" parameter in themes/tp_alpha/theme.php, themes/tp_dhtml2/theme.php, and themes/tp_green/theme.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.

Successful exploitation allows to execute arbitrary PHP code e.g. via an uploaded avatar image, but requires that "register_globals" is enabled and "magic_quotes_gpc" is disabled.

2) The application does not properly check the file extensions of uploaded files. This can be exploited to upload and execute arbitrary PHP code e.g. via ".phtml" files.

Successful exploitation requires valid user credentials.

3) Input passed via certain parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Examples:
http://[host]/flatnux/index.php?mod=[XSS]
http://[host]/flatnux/index.php?mod=login&op=profile&user=[XSS]
http://[host]/flatnux/index.php?opindex=modcont&file=misc/motd.en.php&from=[XSS]
http://[host]/flatnux/controlcenter.php?mod=controlcenter&op=03_users/20_groups&opmod=insnew_groups&pk=[XSS]

4) It is possible to view certain system information returned by the "phpinfo()" function by accessing the script sections/none_Control_Center/phpinfo.php directly.

The vulnerabilities are confirmed in version 2009-03-27. Other versions may also be affected.

Solution
Update to version 2010-03-25 which fixes vulnerability #1 and partially fixes vulnerability #3. Edit the source code to ensure that input is properly sanitised and verified. Grant only trusted users access to the application. Restrict access to sections/none_Control_Center/phpinfo.php (e.g. via an .htaccess file).

Provided and/or discovered by
1, 2) girex
3, 4) MaXe, InterN0T

Changelog
Further details available in Customer Area

Original Advisory
FlatnuX:
http://www.flatnux.altervista.org/index.php?mod=10_devel/02_Changelog&lang=en

girex:
http://milw0rm.com/exploits/8483

InterN0T:
http://forum.intern0t.net/intern0t-advisories/1084-intern0t-flatnux-2009-03-27-cross-site-scripting-vulnerabilities-more.html

Deep Links
Links available in Customer Area