Following on my series of GetSimple CMS articles this one details a LFI (Local file inclusion) vulnerability which is present in current and current beta versions – 3.2beta.
As per the previous article this requires you to be logged in as a valid user.
The code at fault is in the settings.php page and is the language parameter, I have listed the section below:
$LANG = $_POST[‘lang’];
Then its used here
So for example if you post the following request, you will get the /etc/passwd file which given these days they contain no passwords is probably the least of your worries, more likely an attacker would be after other files with credentials in.
POST /admin/settings.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept-Encoding: gzip, deflate
As I’ve mentioned in previous articles whilst this requires a valid user, its not acceptable that even an authenticated user can read files off the local file system – especially in the case of hosted systems.
In extreme circumstances this LFI can also lead to complete server compromise using a technique where php code is injected into files which are readable by the web process and subsequently included in the above request and executed.
Again simple user input validation would completely reduce this attack.