Project: Github flatCore/flatCore-CMS 20191112

Vulnerability: #9253370 (2019-11-12 09:27:18)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PDO::exec
Risk _POST
/flatCore-CMS-master/install/php/createDB.php:13 (show/hide source)
1  <?php
2  
3  /**
4   * install flatCore
5   * create the sqlite database files
6   */
7  
8  if(!defined('INSTALLER')) {
9  	header("location:../login.php");
10  	die("PERMISSION DENIED!");
11  }
12  
13 $username = $_POST['username'];
14 $mail = $_POST['mail']; 15 $psw = $_POST['psw'];
Threat level 2

Callstack:

@FUNCTION::record_log /flatCore-CMS-master/acp/core/functions.php:434 (show/hide source)
414  		$dbh = null;
415  
416  		$counter = $result['counter'];
417  		return($counter);
418  }
419  
420  
421  /**
422   * write a log message
423   */
424  
425  function record_log($log_trigger = 'system', $log_entry, $log_priority = '0') {
426  
427  	$log_time = time();
428  	$dbh = new PDO("sqlite:".STATS_DB);
429  	$sql = "INSERT INTO log	(
430  			log_id , log_time , log_trigger , log_entry , log_priority
431  			) VALUES (
432  			NULL, '$log_time', '$log_trigger', '$log_entry', '$log_priority' ) ";
433  										
434 $cnt_changes = $dbh->exec($sql);
435 $dbh = null; 436
@INLINE::/flatCore-CMS-master/core/user_register.php /flatCore-CMS-master/core/user_register.php:163 (show/hide source)
143  			->setUsername("$prefs_smtp_username")
144  			->setPassword("$prefs_smtp_psw");
145  			
146  		if($prefs_mail_smtp_encryption_input != '') {
147  			$transport ->setEncryption($pb_prefs['prefs_smtp_encryption']);
148  		}
149  	} else {
150  		$transport = Swift_MailTransport::newInstance();
151  	}
152  	$mailer = Swift_Mailer::newInstance($transport);
153  	$message = Swift_Message::newInstance()
154  			->setSubject("Registrierungsdaten | $prefs_pagetitle")
155    		->setFrom(array("$prefs_mailer_adr" => "$prefs_mailer_name"))
156    		->setTo(array("$mail" => "$username"))
157    		->setBody("$email_msg", 'text/html');
158    $result = $mailer->send($message);
159  	
160  	$smarty->assign("msg_status","alert alert-success",true);
161  	$smarty->assign("register_message",$lang['msg_register_success'],true);
162  	
163 record_log("user_register","new user $username","6");
164 165 $admin_notification_text = $lang['msg_register_admin_notification_text'].'<hr>';