PHPFusion Vulnerabilities: Reminder Why You Need CMS Security
If you’re publishing to the web with regularity, chances are, you’re using a content management system (CMS). CMS systems are the software platform that allows us to create, manage and publish digital content on the web. Whether that’s for your corporate blog, a shopping site, or simply informational purposes, you’re probably using one.
However, these systems have a history of security risks, and have often been the interface through which hackers have accessed data systems, planted malware, or stolen personal identification information (PII). Two recent CMS vulnerabilities, discovered by the Synopsys CyRC, reinforce why your organization needs a CMS security policy.
First, let’s take a look at the vulnerabilities. Many CMS systems rely on open source development, and like all open source systems, open source content management systems (CMS) are vulnerable because of the shared development environments that make them beneficial. PHPFusion is one of the smaller CMS products out there, however, it’s still used by roughly 15 million websites across the world.
An open source CMS, PHPFusion is designed for managing personal or commercial websites and is offered under the GNU Affero General Public License v3.0. Just recently, researchers working for the Synopsys Cybersecurity Research Center (CyRC) discovered significant flaws in PHPFusion. Websites using PHPFusion versions 9.10.30 and before are exposed to a severe risk as a result of these vulnerabilities.
Let’s take a look into the specifics of these vulnerabilities, their possible impact and the steps that you can take to safeguard your websites from being compromised.
CVE-2023-2453: Authenticated Local File Inclusion
On Sept. 5, Synopsys CyRC released information about CVE-2023-2453, an authenticated local file inclusion vulnerability in PHPFusion. The vulnerability enables the execution of remote code when an attacker uploads a maliciously constructed .php file to a predetermined location on a targeted system. The vulnerability is caused by insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a require_once statement.
To exploit this vulnerability, an attacker must have access to at least a low-privileged account. If an attacker takes advantage of this vulnerability, there is a chance they could launch a remote code execution (RCE) attack if they are able to upload a payload file to a location on the target system that has a known absolute path.
CVE-2023-4480 Fusion File Manager
This vulnerability has a severity rating of medium and is caused by an outdated dependency in the Fusion File Manager component that may be accessed through the administration panel of the CMS. This vulnerability can be exploited by an adversary with administrator or super administrator capabilities and allows them to read the contents of files on the system or write files to arbitrary locations, assuming that the files are able to pass validation checks.
If an attacker with administrative or superadministrative privileges sends specially crafted queries, they will gain read access for files stored in the system or write access for certain types of files in known locations on the file system of the server.
Regrettably, there is not yet a patch available for these vulnerabilities. Nevertheless, there are preventative measures that you can take:
- Using the administration control panel, turn off the forum called Infusion. This will eliminate the endpoint that allows for the exploitation of this vulnerability.
- To prevent future attempts to exploit a vulnerability, you should employ protection mechanisms such as a web application firewall (WAF).
Secure Your CMS to Secure Your Business
Ensuring the security of your CMS, and indeed, all your web applications, should be your priority as a business. Web application security (Web AppSec) involves making websites work even when attacked. While web applications have security safeguards to protect their assets from hostile actors, like all software, they have vulnerabilities like these two discovered by the CyRC. Secure development approaches and security mechanisms across the software development life cycle (SDLC) are your best defense when vulnerabilities inevitably arise.
The fact that these flaws were found in PHPFusion serves as a timely reminder that even less widely used content management system alternatives are susceptible to cyberattacks. The owners of websites and the managers of those sites should take urgent measures to limit these risks until updates are made available. Steps that are vital in protecting your website from potential dangers include maintaining a regular monitoring schedule for security upgrades and implementing the recommended security procedures.
When every business is a software business it’s crucial to secure systems like your CMS. The safety and security of this software is critical to minimizing your business risk. A robust AppSec strategy is the only way to lower business risk and help build trust in the security of your software.
