We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Brief of this vulnerability GetSimpleCMS allowed to upload the files that are able to execute HTML files.
There are 3 types of HTML executable files.
Test Environment
Affect version 3.3.15
Payload
move to http://[address]:[port]/[app_path]/admin/upload.php with admin credential
http://[address]:[port]/[app_path]/admin/upload.php
Upload prepared malformed files.
HTML File with no extension
test
<html><head><title>XSS</title></head><body><script>alert('xss')</script></body></html>
test.asdf
TESTEML Content-Type: text/html Content-Transfer-Encoding: quoted-printable XSS Test =3Cscript=3Ealert=281=29=3B=3C=2Fscript=3E
Click the uploaded file name or move to http://[address]:[port]/[app_path]/data/uploads/[uploaded file].
http://[address]:[port]/[app_path]/data/uploads/[uploaded file].
Profit!
Reason of This Vulnerability
In admin/upload-uploadify.php , Third parameter of validate_safe_file is not exist.
admin/upload-uploadify.php
validate_safe_file
Function validate_safe_file is in admin/inc/security_functions.php and Third parameter, mime, will be null.
admin/inc/security_functions.php
mime
As a result, the file filtering of validate_safe_file depend on extensions. ( Not use MIME Type )
It can allows to upload the three type files that I introduced.
The text was updated successfully, but these errors were encountered:
It looks like this was supposed to do mime checking amd was removed or never implemented. Interesting
Sorry, something went wrong.
I got the CVE for this vulnerabilities - CVE-2018-19420, CVE-2018-19421.
fixes #1301
764abc9
No branches or pull requests
Brief of this vulnerability
GetSimpleCMS allowed to upload the files that are able to execute HTML files.
There are 3 types of HTML executable files.
(I also confirmed about SVG issue, but there was the issue already - XSS & XML entity expansion attack using via svg file (XML rendering) in File uploads #1292. )
Test Environment
Affect version
3.3.15
Payload
move to
http://[address]:[port]/[app_path]/admin/upload.php
with admin credentialUpload prepared malformed files.
HTML File with no extension
test
test.asdf
Click the uploaded file name or
move to
http://[address]:[port]/[app_path]/data/uploads/[uploaded file].
Profit!
Reason of This Vulnerability
In
admin/upload-uploadify.php
, Third parameter ofvalidate_safe_file
is not exist.Function
validate_safe_file
is inadmin/inc/security_functions.php
and Third parameter,mime
, will be null.As a result, the file filtering of
validate_safe_file
depend on extensions. ( Not use MIME Type )It can allows to upload the three type files that I introduced.
The text was updated successfully, but these errors were encountered: