GetSimpleCMS icon indicating copy to clipboard operation
GetSimpleCMS copied to clipboard
verified publisher icon GetSimpleCMS

Remote command execution vulnerability in 3.3.16

Open PicklerBox opened this issue 3 years ago • 4 comments

Go to the edit-theme. PHP file, click the sava Changes button below, and grab the package. a9 b Use.. / to change the edited_file parameter in the request package c Then we access index.php d e

PicklerBox avatar Sep 24 '22 17:09 PicklerBox

`if((isset($_POST['submitsave']))){

# check for csrf
if (!defined('GSNOCSRF') || (GSNOCSRF == FALSE) ) {
	$nonce = $_POST['nonce'];
	if(!check_nonce($nonce, "save")) {
		die("CSRF detected!");
	}
}

# save edited template file
$SavedFile = $_POST['edited_file'];
$FileContents = get_magic_quotes_gpc() ? stripslashes($_POST['content']) : $_POST['content'];	
$fh = fopen(GSTHEMESPATH . $SavedFile, 'w') or die("can't open file");
fwrite($fh, $FileContents);
fclose($fh);
$success = sprintf(i18n_r('TEMPLATE_FILE'), $SavedFile);

}` The savedFile and FileContents parameters are not filtered, so you can write files across directories

PicklerBox avatar Sep 25 '22 04:09 PicklerBox

Thanks, looks like this was not completely back-patched from 3.4

tablatronix avatar Sep 25 '22 15:09 tablatronix

Is there a fix/patch for this that can be applied? Example code or Pull Request?

risingisland avatar Oct 03 '22 14:10 risingisland

This looks easy, just check the same code in 3.4 and backport it

	# save edited template file
	$SavedFile = $_POST['edited_file'];
	if(!filepath_is_safe($themepath.$SavedFile,GSTHEMESPATH,true)) die();	 // mitigation check
	$FileContents = get_magic_quotes_gpc() ? stripslashes($_POST['content']) : $_POST['content'];

tablatronix avatar Apr 20 '24 03:04 tablatronix