CVE-2013-10032
📋 TL;DR
This CVE describes an authenticated remote code execution vulnerability in GetSimpleCMS 3.2.1 where authenticated users can upload malicious PHP files disguised with .pht extensions or other polyglot techniques. Attackers can bypass blacklist-based file validation and execute arbitrary code on the server. All GetSimpleCMS 3.2.1 installations with default configurations are affected.
💻 Affected Systems
- GetSimpleCMS
📦 What is this software?
Getsimplecms by Get Simple
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, pivot to other systems, and maintain persistent access.
Likely Case
Webshell deployment leading to data theft, defacement, or use as a foothold for further attacks within the network.
If Mitigated
Limited impact if proper file upload restrictions and web application firewalls are in place, though authenticated users could still attempt exploitation.
🎯 Exploit Status
Metasploit module available (get_simple_cms_upload_exec.rb). Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.2.1
Vendor Advisory: https://get-simple.info
Restart Required: No
Instructions:
1. Backup your GetSimpleCMS installation and database. 2. Download the latest version from get-simple.info. 3. Replace all files except /data, /backups, and /uploads directories. 4. Run the update script if provided. 5. Verify functionality.
🔧 Temporary Workarounds
Restrict file upload extensions
allImplement whitelist-based file upload validation to only allow specific safe extensions.
Modify upload.php to check against allowed extensions: $allowed = array('jpg', 'png', 'gif', 'pdf');
Disable upload functionality
allTemporarily disable file uploads until patching is complete.
Comment out or remove upload.php functionality or restrict access via .htaccess: Deny from all
🧯 If You Can't Patch
- Implement strict file upload validation using whitelists instead of blacklists
- Deploy a web application firewall (WAF) with rules to block .pht file uploads and suspicious upload patterns
🔍 How to Verify
Check if Vulnerable:
Check if running GetSimpleCMS version 3.2.1 by examining version files or admin panel. Attempt to upload a test .pht file (non-malicious) as authenticated user.Check Version:
Check /admin/version.php or /data/other/version.xml for version informationVerify Fix Applied:
After updating, verify version is >3.2.1. Attempt to upload a .pht file - it should be rejected. Check upload.php for proper whitelist validation.📡 Detection & Monitoring
Log Indicators:
- File uploads with .pht extension in web server logs
- POST requests to upload.php with unusual file types
- Successful uploads followed by GET requests to unusual file names
Network Indicators:
- HTTP POST requests to /path/to/upload.php with .pht files in payload
- Subsequent requests to uploaded files with .pht extensions
SIEM Query:
source="web_logs" AND (uri_path="*upload.php" AND (file_extension=".pht" OR user_agent LIKE "%curl%" OR user_agent LIKE "%wget%"))🔗 References
- https://get-simple.info
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb
- https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=27895
- https://www.exploit-db.com/exploits/25405
- https://www.fortiguard.com/encyclopedia/ips/39295
- https://www.vulncheck.com/advisories/getsimple-cms-auth-rce-via-arbitrary-php-file-upload
