CVE-2009-0572 in flatnux
Summary
by MITRE
PHP remote file inclusion vulnerability in include/flatnux.php in FlatnuX CMS (aka Flatnuke3) 2009-01-27 and 2009-02-04, when register_globals is enabled and magic_quotes_gpc disabled, allows remote attackers to execute arbitrary PHP code via a URL in the _FNROOTPATH parameter to (1) index.php and (2) filemanager.php.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/16/2025
The CVE-2009-0572 vulnerability represents a critical remote file inclusion flaw discovered in the FlatnuX Content Management System, specifically affecting versions released on January 27 and February 4, 2009. This vulnerability exploits a fundamental security weakness in how the system handles user input parameters, creating an avenue for remote code execution that could compromise entire web servers. The flaw manifests when the PHP configuration has register_globals enabled and magic_quotes_gpc disabled, creating a dangerous combination that allows attackers to manipulate system behavior through crafted input parameters.
The technical exploitation of this vulnerability occurs through manipulation of the _FNROOTPATH parameter within the include/flatnux.php file, which is included in the index.php and filemanager.php scripts. When register_globals is enabled, PHP automatically creates global variables from GET, POST, and COOKIE data, effectively bypassing normal input validation mechanisms. Attackers can craft malicious URLs containing PHP code within the _FNROOTPATH parameter, which gets included and executed by the vulnerable system. The vulnerability specifically targets the include() function's behavior when processing user-supplied paths, allowing attackers to specify remote URLs that contain malicious PHP code to be executed on the target server.
The operational impact of this vulnerability is severe, as it enables attackers to execute arbitrary PHP code remotely without requiring authentication or prior access to the system. This capability allows for complete compromise of the affected web server, potentially leading to data theft, system infiltration, and further lateral movement within network environments. The vulnerability affects not only the CMS itself but also any applications or data hosted on the same server, making it particularly dangerous in shared hosting environments. The attack vector is straightforward and requires minimal technical expertise, making it a popular target for automated exploitation tools and malicious actors.
Security professionals should note that this vulnerability aligns with CWE-88, which describes improper neutralization of special elements used in an OS command, and relates to ATT&CK technique T1190 for exploiting vulnerabilities in web applications. The weakness essentially represents a classic path traversal and code inclusion vulnerability that has been prevalent in web applications for many years, demonstrating the importance of proper input validation and secure coding practices. Organizations should immediately disable register_globals in their PHP configurations and implement proper parameter validation to prevent such vulnerabilities from being exploited. Additionally, the use of PHP's magic_quotes_gpc feature or modern secure coding practices such as using include() with validated paths and implementing proper input sanitization can effectively mitigate this class of vulnerability. Regular security audits and vulnerability assessments are essential to identify and remediate similar weaknesses in web applications and CMS platforms.