Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Full title: GetSimple CMS 3.2.1 Arbitrary File Upload / Cross Site Scripting
- Date add: 2013-05-06
- Category: web applications
- Verified: Not verified yet
- Platform: php
- Description:
- GetSimpleCMS version 3.2.1 suffers from a persistent cross site scripting vulnerability and remote arbitrary file upload vulnerability due to not using whitelisting.
- -------------------------------------------------------------------
- GetSimpleCMS Version 3.2.1 Arbitrary File Upload / Cross Site Scripting Vulnerabilities
- ===================================================================================
- # Exploit Title: GetSimpleCMS Version 3.2.1 Arbitrary File Upload Vulnerability
- # Download link: http://code.google.com/p/get-simple-cms/
- # version: 3.2.1
- # Category: webapps
- # Tested on: ubuntu 13.4
- # Author: Ahmed Elhady Mohamed
- # Email: ahmed.elhady.mohamed@gmail.com
- # Website: www.itsec4all.com
- ===================================================================================
- Description:
- - GetSimpleCMS Version 3.2.1 suffers from arbitrary file upload vulnerability which allows an attacker to upload a HTML page.
- - The main reason of this vulnerability is that the application uses a blacklist technique to compare the file aganist mime types and extensions.
- - If the mime type or the extension is in the blacklist array , the application won't upload it.
- Exploit:
- - For exploiting this vulnerability we will create a file with mutiple extensions for example "exploit.html.fr"
- - The application will check the mime type and extension of the file which is "fr" aganist the blacklist array mime type and extensions.
- - and ofcourse "fr" extension won't be in the blacklist array so the application will upload it successfully.
- - The uploaded file will be under the "data/uploads/" folder.
- Solution:
- - The application should use whitelisting technique which compare the file extensions and mime types aganist
- - acceptable mime types and extensions for more information google for "whitelisting vs blacklisting"
- Stored XSS Vulnerability:
- Page: edit.php
- Desc: inject your javascript code in "Page Title" field.
- POC: test" onClick="alert(/HackedByAhmed-Elhady-Mohamed/)
- Page: edit.php
- Desc: click on page option then check "add this page to the menu" then inject your javascript code in "post-menu"" field.
- POC: <script>alert(/HackedByAhmed-Elhady-Mohamed/)</script>
- page: settings.php
- Desc: inject javascript event in "Custom Permalink Structure" field
- POC: test" onClick="alert(/HackedByAhmed-Elhady-Mohamed/)
- page: settings.php
- Desc: inject javascript event in "Display name" field
- POC: test" onClick="alert(/HackedByAhmed-Elhady-Mohamed/)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement