GetSimpleCMS allowed to some files that are able to execute HTML

[Hexife]

Brief of this vulnerability
GetSimpleCMS allowed to upload the files that are able to execute HTML files.

There are 3 types of HTML executable files.

• HTML File with no extension
• HTML File with uncommon extension ( e.g. asdf)
• HTML encoded as EML ( Triggered in IE only )
  (I also confirmed about SVG issue, but there was the issue already - XSS & XML entity expansion attack using via svg file (XML rendering) in File uploads  #1292. )

Test Environment

• Apache/2.4.18 (Debian)
• PHP 5.6.38-2+ubuntu16.04.1+deb.sury.org+1 (cli)

Affect version
3.3.15

Payload

• move to http://[address]:[port]/[app_path]/admin/upload.php with admin credential

• Upload prepared malformed files.

• HTML File with no extension

  • Filename - test

<html><head><title>XSS</title></head><body><script>alert('xss')</script></body></html>

• HTML File with uncommon extension
  • Filename - test.asdf

<html><head><title>XSS</title></head><body><script>alert('xss')</script></body></html>

• HTML File encoded as EML
  • Filename - test.eml

TESTEML
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

XSS Test
=3Cscript=3Ealert=281=29=3B=3C=2Fscript=3E

3. Click the uploaded file name or
   move to http://[address]:[port]/[app_path]/data/uploads/[uploaded file].

4. Profit!

Reason of This Vulnerability

In admin/upload-uploadify.php , Third parameter of validate_safe_file is not exist.

Function validate_safe_file is in admin/inc/security_functions.php and Third parameter, mime, will be null.

As a result, the file filtering of validate_safe_file depend on extensions. ( Not use MIME Type )

It can allows to upload the three type files that I introduced.

[tablatronix]

It looks like this was supposed to do mime checking amd was removed or never implemented. Interesting

[Hexife]

I got the CVE for this vulnerabilities - CVE-2018-19420, CVE-2018-19421.