cbcvebase.
CVE-2019-11231
published 2019-05-22

CVE-2019-11231: An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content…

PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.60%
99.3th percentile
An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be bypassed. According to the official documentation for installation step 10, an admin is required to upload all the files, including the .htaccess files, and run a health check. However, what is overlooked is that the Apache HTTP Server by default no longer enables the AllowOverride directive, leading to data/users/admin.xml password exposure. The passwords are hashed but this can be bypassed by starting with the data/other/authorization.xml API key. This allows one to target the session state, since they decided to roll their own implementation. The cookie_name is crafted information that can be leaked from the frontend (site name and version). If a someone leaks the API key and the admin username, then they can bypass authentication. To do so, they need to supply a cookie based on an SHA-1 computation of this known information. The vulnerability exists in the admin/theme-edit.php file. This file checks for forms submissions via POST requests, and for the csrf nonce. If the nonce sent is correct, then the file provided by the user is uploaded. There is a path traversal allowing write access outside the jailed themes directory root. Exploiting the traversal is not necessary because the .htaccess file is ignored. A contributing factor is that there isn't another check on the extension before saving the file, with the assumption that the parameter content is safe. This allows the creation of web accessible and executable files with arbitrary content.

Affected

1 ranges
VendorProductVersion rangeFixed in
get-simplegetsimple_cms<= 3.3.15

Detection & IOCsextracted from sources · hover to see the quote

pathdata/other/authorization.xml
pathdata/users/admin.xml
pathadmin/theme-edit.php
urldata/other/authorization.xml
urldata/users/
urladmin/theme-edit.php
cookieGS_ADMIN_USERNAME=<username>;<SHA1(cookie_name+salt)>=<SHA1(username+salt)>
urltheme/<uploaded_filename>.php
  • Monitor for unauthenticated HTTP GET requests to data/other/authorization.xml and data/users/*.xml, which are used to leak the API key and admin username for auth bypass.
  • Detect forged session cookies matching the pattern GS_ADMIN_USERNAME=<user>;<SHA1(getsimple_cookie_<ver>+apikey)>=<SHA1(user+apikey)> — the cookie is entirely SHA-1 computed from leaked public values.
  • Alert on HTTP POST requests to admin/theme-edit.php containing the parameters submitsave, edited_file, content, and nonce — this is the file-upload exploitation path.
  • Detect PHP files written into the themes directory (theme/*.php) via POST to admin/theme-edit.php, indicating successful arbitrary file upload exploitation.
  • Check that AllowOverride is enabled in Apache config to prevent .htaccess bypass; absence of AllowOverride is a contributing factor enabling this exploit.
  • ·The exploit only works when Apache's AllowOverride is disabled (the default), causing .htaccess restrictions to be ignored and allowing PHP files in the themes directory to be executed.
  • ·Authentication bypass requires that data/other/authorization.xml and data/users/ directory listing are publicly accessible (HTTP 200); if these are protected, the unauthenticated path is blocked.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.