CVE-2019-11231
published 2019-05-22CVE-2019-11231: An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content…
PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.60%
99.3th percentile
An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be bypassed. According to the official documentation for installation step 10, an admin is required to upload all the files, including the .htaccess files, and run a health check. However, what is overlooked is that the Apache HTTP Server by default no longer enables the AllowOverride directive, leading to data/users/admin.xml password exposure. The passwords are hashed but this can be bypassed by starting with the data/other/authorization.xml API key. This allows one to target the session state, since they decided to roll their own implementation. The cookie_name is crafted information that can be leaked from the frontend (site name and version). If a someone leaks the API key and the admin username, then they can bypass authentication. To do so, they need to supply a cookie based on an SHA-1 computation of this known information. The vulnerability exists in the admin/theme-edit.php file. This file checks for forms submissions via POST requests, and for the csrf nonce. If the nonce sent is correct, then the file provided by the user is uploaded. There is a path traversal allowing write access outside the jailed themes directory root. Exploiting the traversal is not necessary because the .htaccess file is ignored. A contributing factor is that there isn't another check on the extension before saving the file, with the assumption that the parameter content is safe. This allows the creation of web accessible and executable files with arbitrary content.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| get-simple | getsimple_cms | <= 3.3.15 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP GET requests to data/other/authorization.xml and data/users/*.xml, which are used to leak the API key and admin username for auth bypass. ↗
- →Detect forged session cookies matching the pattern GS_ADMIN_USERNAME=<user>;<SHA1(getsimple_cookie_<ver>+apikey)>=<SHA1(user+apikey)> — the cookie is entirely SHA-1 computed from leaked public values. ↗
- →Alert on HTTP POST requests to admin/theme-edit.php containing the parameters submitsave, edited_file, content, and nonce — this is the file-upload exploitation path. ↗
- →Detect PHP files written into the themes directory (theme/*.php) via POST to admin/theme-edit.php, indicating successful arbitrary file upload exploitation. ↗
- →Check that AllowOverride is enabled in Apache config to prevent .htaccess bypass; absence of AllowOverride is a contributing factor enabling this exploit. ↗
- ·The exploit only works when Apache's AllowOverride is disabled (the default), causing .htaccess restrictions to be ignored and allowing PHP files in the themes directory to be executed. ↗
- ·Authentication bypass requires that data/other/authorization.xml and data/users/ directory listing are publicly accessible (HTTP 200); if these are protected, the unauthenticated path is blocked. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)
exploitdb·2019-05-20
CVE-2019-11231 GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)
GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "GetSimpleCMS Unauthenticated RCE",
'Description' => %q{
This module exploits a vulnerability found in GetSimpleCMS,
which allows unauthenticated attackers to perform Remote Code Execution.
An arbitrary file upload (PHPcode for example) vulnerability can be triggered by an authenticated user,
however authentication can be bypassed by leaking the cms API key to target the session manager.
},
'License' => MSF_LICENSE,
'Author' =>
[
'truerand0m' # Discovery, exploit and Metasploit from Khalifazo,incite_team
],
'References' =>
[
['CVE', '2019-11231'],
['URL', 'http
Metasploit
GetSimpleCMS Unauthenticated RCE
metasploit
GetSimpleCMS Unauthenticated RCE
GetSimpleCMS Unauthenticated RCE
This module exploits a vulnerability found in GetSimpleCMS, which allows unauthenticated attackers to perform Remote Code Execution. An arbitrary file upload (PHPcode for example) vulnerability can be triggered by an authenticated user, however authentication can be bypassed by leaking the cms API key to target the session manager.
No writeups or analysis indexed.
2019-05-22
Published