A vulnerability was found in FineCMS 5.2.0. It has been rated as critical. This issue affects an unknown function of the file v5/config/system.php of the component Membr API. The manipulation of the argument SYS_KEY as part of a PHP File leads to a key management vulnerability. Using CWE to declare the problem leads to CWE-320. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php.

The bug was discovered 11/21/2017. The weakness was released 11/21/2017 (Website). The advisory is shared at gitee.com. The identification of this vulnerability is CVE-2017-16920 since 11/21/2017. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1600.001 for this issue.

By approaching the search of inurl:v5/config/system.php it is possible to find vulnerable targets with Google Hacking.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Name

• FineCMS

Version

• 5.2.0

License

• open-source

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion