Headline
CVE-2022-41544: Remote command execution vulnerability in 3.3.16 · Issue #1352 · GetSimpleCMS/GetSimpleCMS
GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.
`if((isset($_POST[‘submitsave’]))){
# check for csrf
if (!defined('GSNOCSRF') || (GSNOCSRF == FALSE) ) {
$nonce = $_POST['nonce'];
if(!check_nonce($nonce, "save")) {
die("CSRF detected!");
}
}
# save edited template file
$SavedFile = $_POST['edited_file'];
$FileContents = get_magic_quotes_gpc() ? stripslashes($_POST['content']) : $_POST['content'];
$fh = fopen(GSTHEMESPATH . $SavedFile, 'w') or die("can't open file");
fwrite($fh, $FileContents);
fclose($fh);
$success = sprintf(i18n_r('TEMPLATE_FILE'), $SavedFile);
}`
The savedFile and FileContents parameters are not filtered, so you can write files across directories
Related news
GetSimple CMS 3.3.16 Shell Upload
GetSimple CMS version 3.3.16 suffers from a remote shell upload vulnerability.