API tools faq
paste
Mayk0

GetSimple CMS 3.2.1 Arbitrary File Upload / Cross Site Scrip

Mayk0
May 6th, 2013
333
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.67 KB | None | 0 0
raw download clone embed print report
  1.  
  2. Full title: GetSimple CMS 3.2.1 Arbitrary File Upload / Cross Site Scripting
  3. Date add: 2013-05-06
  4. Category: web applications
  5. Verified: Not verified yet
  6. Platform: php
  7. Description:
  8. GetSimpleCMS version 3.2.1 suffers from a persistent cross site scripting vulnerability and remote arbitrary file upload vulnerability due to not using whitelisting.
  9. -------------------------------------------------------------------
  10.  
  11.  
  12. GetSimpleCMS Version 3.2.1 Arbitrary File Upload / Cross Site Scripting Vulnerabilities
  13. ===================================================================================
  14. # Exploit Title: GetSimpleCMS Version 3.2.1 Arbitrary File Upload Vulnerability
  15. # Download link: http://code.google.com/p/get-simple-cms/
  16. # version: 3.2.1
  17. # Category: webapps
  18. # Tested on: ubuntu 13.4
  19. # Author: Ahmed Elhady Mohamed
  20. # Email: [email protected]
  21. # Website: www.itsec4all.com
  22. ===================================================================================
  23. Description:
  24. - GetSimpleCMS Version 3.2.1 suffers from arbitrary file upload vulnerability which allows an attacker to upload a HTML page.
  25. - The main reason of this vulnerability is that the application uses a blacklist technique to compare the file aganist mime types and extensions.
  26. - If the mime type or the extension is in the blacklist array , the application won't upload it.
  27.  
  28. Exploit:
  29. - For exploiting this vulnerability we will create a file with mutiple extensions for example "exploit.html.fr"
  30. - The application will check the mime type and extension of the file which is "fr" aganist the blacklist array mime type and extensions.
  31. - and ofcourse "fr" extension won't be in the blacklist array so the application will upload it successfully.
  32. - The uploaded file will be under the "data/uploads/" folder.
  33.  
  34. Solution:
  35. - The application should use whitelisting technique which compare the file extensions and mime types aganist
  36. - acceptable mime types and extensions for more information google for "whitelisting vs blacklisting"
  37.  
  38. Stored XSS Vulnerability:
  39.  
  40. Page: edit.php
  41. Desc: inject your javascript code in "Page Title" field.
  42. POC: test" onClick="alert(/HackedByAhmed-Elhady-Mohamed/)
  43.  
  44. Page: edit.php
  45. Desc: click on page option then check "add this page to the menu" then inject your javascript code in "post-menu"" field.
  46. POC: <script>alert(/HackedByAhmed-Elhady-Mohamed/)</script>
  47.  
  48. page: settings.php
  49. Desc: inject javascript event in "Custom Permalink Structure" field
  50. POC: test" onClick="alert(/HackedByAhmed-Elhady-Mohamed/)
  51.  
  52. page: settings.php
  53. Desc: inject javascript event in "Display name" field
  54. POC: test" onClick="alert(/HackedByAhmed-Elhady-Mohamed/)
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!