Flarum LESS Parser Vulnerability in Theme Color Settings Allowing Path Traversal

A path traversal vulnerability has been identified in Flarum, an open-source forum software, prior to versions 1.8.16 and 2.0.0-rc.1. The issue arises from an incomplete patch for CVE-2023-27577, which restricted certain LESS features in the 'custom_less' setting but failed to apply the same limitations to other LESS config variables, such as 'theme_primary_color' and 'theme_secondary_color'. This oversight allows authenticated administrators to inject arbitrary @import directives into the compiled forum.css, potentially leading to local file inclusion or server-side request forgery.

Impact

Exploitation of this vulnerability could allow an authenticated administrator to read arbitrary files accessible by the PHP process, such as '/etc/passwd' or environment files containing sensitive information like database credentials and API keys. Additionally, it could enable server-side request forgery, allowing the attacker to make HTTP requests from the server to internal services or cloud metadata endpoints.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a POST request to the '/api/settings' endpoint with a payload that includes an @import directive in the 'theme_primary_color' or 'theme_secondary_color' settings. The injected @import will be processed by the LESS parser, allowing access to local files or the ability to make outbound HTTP requests.

Remediation

Users can upgrade to Flarum versions 1.8.16 or 2.0.0-rc.1, both of which include the necessary fix. The update can be downloaded from the Flarum GitHub repository.