CVE-2020-18191
📋 TL;DR
CVE-2020-18191 is a directory traversal vulnerability in GetSimpleCMS 3.3.15 that allows remote attackers to delete arbitrary files via the /admin/log.php endpoint. This affects all GetSimpleCMS 3.3.15 installations with default configurations, potentially leading to complete system compromise.
💻 Affected Systems
- GetSimpleCMS
📦 What is this software?
Getsimplecms by Get Simple
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete critical system files, configuration files, or web application files, causing complete system unavailability, data loss, or enabling further exploitation.
Likely Case
Attackers delete web application files or configuration files, causing service disruption, defacement, or privilege escalation.
If Mitigated
With proper file permissions and web server restrictions, impact is limited to files accessible by the web server user.
🎯 Exploit Status
Exploitation requires admin access or authentication bypass. The vulnerability is simple to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.16
Vendor Advisory: https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1303
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download GetSimpleCMS 3.3.16 from the official repository. 3. Replace all files except /data and /backups directories. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Restrict admin access
allLimit access to the admin interface using IP whitelisting or authentication proxies
# Example Apache .htaccess for IP restriction
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
Remove vulnerable file
linuxTemporarily remove or rename the vulnerable log.php file
mv /path/to/GetSimpleCMS/admin/log.php /path/to/GetSimpleCMS/admin/log.php.disabled
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to the admin interface
- Enable detailed logging and monitoring for file deletion attempts in the admin directory
🔍 How to Verify
Check if Vulnerable:
Check if running GetSimpleCMS version 3.3.15 by examining the version in admin/settings.php or the footer of admin pagesCheck Version:
grep -r "define('GSVERSION'" /path/to/GetSimpleCMS/ || cat /path/to/GetSimpleCMS/admin/settings.php | grep GSVERSIONVerify Fix Applied:
Verify the version has been updated to 3.3.16 and test that directory traversal attempts via log.php are properly blocked📡 Detection & Monitoring
Log Indicators:
- Multiple failed attempts to access log.php with directory traversal patterns
- Unexpected file deletion events in web server logs
- Admin login attempts from unusual IP addresses
Network Indicators:
- HTTP requests to /admin/log.php containing '../' patterns
- Unusual spikes in admin interface traffic
SIEM Query:
source="web_server_logs" AND (uri="/admin/log.php" AND (uri="*../*" OR uri="*..\\*"))