GetSimple CMS 3.1 information disclosure vulnerability

Further to my recent article on the GetSimple CMS cookie weakness, I have continued to look through the application and found another vulnerability.

This one isn’t quite as risky as the cookie weakness, but due to the nature of information disclosure vulnerabilities it is still a problem and something that could well contribute to other issues, especially if you are on a shared hosted platform.

The vulnerable code can only be exploited by a logged in user (although if you used the previous exploit to generate your own cookie thats not a problem) and I dont buy that just because you are logged in security issues aren’t important because on a shared system, even the compromise from a logged in user can expose other users data which obviously is a problem and not acceptable.

The vulnerable page is loadtab.php

and the vulnerable code is below:

<?php
if ($plugin_id == @$_GET[‘item’]) {
call_user_func_array($plugin_info[$plugin_id][‘load_data’],array());
} else if (isset($_GET[‘item’])) {
call_user_func_array($_GET[‘item’],array());
}
?>

You can see that the variable item retrieved from the get URL is passed directly without sanitization to the call_user_func_array call. Provided you are logged in and satisfy the other constraints of that page, i.e also passing the id parameter whatever you passed as item will be directly evaluated, and in the case of phpinfo, the whole contents returned to you, exposing a number of sensitive fields you would not wish an attacker to know.

The fix for this is really one for the GetSimple devs, but the user input should be sanitized and not ever passed directly to a function.

You can follow any responses to this entry through the RSS 2.0 feed.

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This blog is kept spam free by WP-SpamFree.