+ "details": "## Summary\n\nFlarum's patch for [CVE-2023-27577](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) restricted the `@import` and `data-uri()` LESS features in the `custom_less` setting, but the same restriction was never applied to other settings registered as LESS config variables (for example `theme_primary_color` and `theme_secondary_color`, as well as any key registered via `Extend\\Settings::registerLessConfigVar()`).\n\nThose values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary `@import` directive into the compiled `forum.css`. Because the underlying LESS parser honours `@import (inline) '<path>'`, an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery).\n\n## Impact\n\nAn attacker who has compromised — or legitimately obtained — an administrator account can:\n\n- **Read arbitrary local files** reachable by the PHP process (e.g. `/etc/passwd`, `.env`, config files containing database credentials, OAuth secrets, API keys).\n- **Trigger outbound HTTP/HTTPS requests** from the Flarum host, enabling SSRF against internal services and cloud metadata endpoints such as `http://169.254.169.254/` (AWS IMDSv1, GCP, Azure).\n\nThe contents of the attacker-controlled import are embedded into the compiled `forum.css`, which is publicly served — so the attacker can retrieve whatever was read simply by fetching the CSS file.\n\nThis is a privilege-escalation vulnerability: a forum administrator is not intended to have host-level file read or access to internal network resources.\n\n### Example payload\n\nSubmitted via `POST /api/settings` with an admin session:\n\n```json\n{ \"theme_primary_color\": \"#4D698E;@import (inline) '/etc/passwd';\" }\n```\n\nThe setting is stored verbatim, interpolated into the LESS source on the next CSS compile, and the target file's contents appear in `/assets/forum.css`.\n\n## Patches\n\n- **`flarum/core` 1.8.16** — fix for the 1.x branch.\n- **`flarum/core` 2.0.0-rc.1** — fix for the 2.x branch.\n\nThe fix extends the existing `@import` / `data-uri()` validation in `Flarum\\Forum\\ValidateCustomLess::whenSettingsSaving` to every dirty setting whose key is registered as a LESS config variable, not just `custom_less`.\n\n## Workarounds\n\nIf upgrading is not immediately possible:\n\n- Ensure administrator accounts are protected with strong, unique passwords and (where supported) two-factor authentication.\n- Restrict administrator access to trusted users only.\n- Review the forum's public `forum.css` for unexpected content that could indicate prior exploitation.\n\nThere is no configuration-level mitigation on affected versions — the fix requires the upgraded code.\n\n## Resources\n\n- [CVE-2023-27577](https://nvd.nist.gov/vuln/detail/CVE-2023-27577) — the original vulnerability whose patch was incomplete.\n- [GHSA-vhm8-wwrf-3gcw](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) — the original advisory.\n\n## Credit\n\nReported to the Flarum Foundation by **William (Liam) Snow IV** ([@LiamSnow](https://github.com/LiamSnow)), discovered during a graduate-level network security lab at Worcester Polytechnic Institute.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments