Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Before GetSimpleCMS 3.3.16 version upload.php allowed to upload executable files lead to RCE #1335

Closed
Cyc1e183 opened this issue Mar 19, 2021 · 2 comments
Closed

Before GetSimpleCMS 3.3.16 version upload.php allowed to upload executable files lead to RCE #1335

Cyc1e183 opened this issue Mar 19, 2021 · 2 comments
Labels
SECURITY
Milestone
3.3.17

Comments

@Cyc1e183
Copy link

Affected version: GetSimpleCMS before 3.3.16.

Vulnerable file: /admin/upload.php.

Causes of vulnerability : upload.php does not allow direct uploading of ph* type files, and it fails when directly uploading ph* files.
image-20210319202759593
However, you can bypass the detection by uploading a phar file and adding picture file header information such as jpg to the file to successfully upload the phar file.
image-20210319202821966
Because the phar file can be parsed normally after php7.2, you can directly upload the php webshell with the phar suffix.
image-20210319204401342

Repair suggestion: add the ph* file to the upload blacklist
@tablatronix tablatronix added this to the 3.3.17 milestone Mar 19, 2021
tablatronix pushed a commit that referenced this issue Mar 19, 2021
add phar to blacklist, adds mimes #1335
60767c4
@tablatronix
Copy link
Member

tablatronix commented Mar 19, 2021
edited
Loading

  • update blacklist mime type
  • update blacklist file type
  • update blacklist execution htaccess
  • add common whitelist to push users to use that instead and make it easier to turn on
  • rewrite this aweful htaccess FilesMatch format.. da fuq? <FilesMatch "\.(([pP][hH][pP][0-9]?)|([pP][hH

Mitigation

User local define GLOBAL $file_ext_whitelist in configuration.php to override blacklists

tablatronix pushed a commit that referenced this issue Mar 19, 2021
#1335 htaccess fix
5728e4a
tablatronix pushed a commit that referenced this issue Mar 19, 2021
#1335 push for 3.4.x
91b4ede
@Cyc1e183
Copy link
Author

If installed in the php5.6 or php7.0 environment, the php7 suffix can also be used to construct and upload getshell, and php7 should also be added to the blacklist

risingisland added a commit to multicolor-rgb/GetSimpleCMS-CE that referenced this issue Oct 4, 2022
@risingisland
Fixes vulnerability #1335
b820d4d 
GetSimpleCMS/GetSimpleCMS#1335
risingisland added a commit to multicolor-rgb/GetSimpleCMS-CE that referenced this issue Oct 4, 2022
@risingisland
Fixes vulnerability #1335
ba6eff3 
GetSimpleCMS/GetSimpleCMS#1335
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
SECURITY
Projects
None yet
Milestone
3.3.17
Development

No branches or pull requests
2 participants
@tablatronix @Cyc1e183