GetSimpleCMS Version 3.2.1 Arbitrary File Upload / Cross Site Scripting Vulnerabilities

GetSimpleCMS Version 3.2.1 Arbitrary File Upload / Cross Site Scripting Vulnerabilities

===================================================================================

# Exploit Title: GetSimpleCMS Version 3.2.1 Arbitrary File Upload Vulnerability

# Download link: http://code.google.com/p/get-simple-cms/

# version: 3.2.1

# Category: webapps

# Tested on: ubuntu 10.04

# Author: Bond Benz

# Email: islambenzeghli@gmail.com

# Website: www.outlaws.labxi.com

===================================================================================

Description:

  - GetSimpleCMS Version 3.2.1 suffers from arbitrary file upload vulnerability which allows an attacker to upload a HTML page.

  - The main reason of this vulnerability is that the application uses a blacklist technique to compare the file aganist mime types and extensions.

  - If the mime type or the extension is in the blacklist array , the application won't upload it.

   

Exploit:

  - For exploiting this vulnerability we will create a file with mutiple extensions for example "exploit.html.fr"

  - The application will check the mime type and extension of the file which is "fr" aganist the blacklist array mime type and extensions.

  - and ofcourse "fr" extension won't be in the blacklist array so the application will upload it successfully.

  - The uploaded file will be under the "data/uploads/" folder.

   

Solution:

  - The application should use whitelisting technique which compare the file extensions and mime types aganist

  - acceptable mime types and extensions for more information google for "whitelisting vs blacklisting"

 

Stored XSS Vulnerability:

 

Page: edit.php

Desc: inject your javascript code in "Page Title" field.

POC:  test" onClick="alert(/HackedByBondBenz/)

 

Page: edit.php

Desc: click on page option then check "add this page to the menu" then inject your javascript code in "post-menu"" field.

POC:  <script>alert(/HackedByBondBenz/)</script>

 

page: settings.php

Desc: inject javascript event in "Custom Permalink Structure" field

POC:  test" onClick="alert(/HackedByBondBenz/)

 

page: settings.php

Desc: inject javascript event in "Display name" field

POC:  test" onClick="alert(/HackedByBondBenz/)