GetSimple CMS 3.2.1 Arbitrary File Upload / Cross Site Scripting

2013-05-06T00:00:00
ID 1337DAY-ID-20737
Type zdt
Reporter Ahmed Elhady
Modified 2013-05-06T00:00:00

Description

GetSimpleCMS version 3.2.1 suffers from a persistent cross site scripting vulnerability and remote arbitrary file upload vulnerability due to not using whitelisting.

                                        
                                            GetSimpleCMS Version 3.2.1 Arbitrary File Upload / Cross Site Scripting Vulnerabilities
===================================================================================
# Exploit Title: GetSimpleCMS Version 3.2.1 Arbitrary File Upload Vulnerability
# Download link: http://code.google.com/p/get-simple-cms/
# version: 3.2.1
# Category: webapps
# Tested on: ubuntu 13.4
# Author: Ahmed Elhady Mohamed
# Email: [email protected]
# Website: www.itsec4all.com
===================================================================================
Description:
  - GetSimpleCMS Version 3.2.1 suffers from arbitrary file upload vulnerability which allows an attacker to upload a HTML page.
  - The main reason of this vulnerability is that the application uses a blacklist technique to compare the file aganist mime types and extensions.
  - If the mime type or the extension is in the blacklist array , the application won't upload it.
  
Exploit:
  - For exploiting this vulnerability we will create a file with mutiple extensions for example "exploit.html.fr"
  - The application will check the mime type and extension of the file which is "fr" aganist the blacklist array mime type and extensions.
  - and ofcourse "fr" extension won't be in the blacklist array so the application will upload it successfully.
  - The uploaded file will be under the "data/uploads/" folder.
  
Solution:
  - The application should use whitelisting technique which compare the file extensions and mime types aganist
  - acceptable mime types and extensions for more information google for "whitelisting vs blacklisting"

Stored XSS Vulnerability:

Page: edit.php
Desc: inject your javascript code in "Page Title" field.
POC:  test" onClick="alert(/HackedByAhmed-Elhady-Mohamed/)

Page: edit.php 
Desc: click on page option then check "add this page to the menu" then inject your javascript code in "post-menu"" field.
POC:  <script>alert(/HackedByAhmed-Elhady-Mohamed/)</script>

page: settings.php 
Desc: inject javascript event in "Custom Permalink Structure" field 
POC:  test" onClick="alert(/HackedByAhmed-Elhady-Mohamed/)

page: settings.php 
Desc: inject javascript event in "Display name" field 
POC:  test" onClick="alert(/HackedByAhmed-Elhady-Mohamed/)

#  0day.today [2018-04-05]  #