GetSimpleCMS Remote Code Execution Vulnerability via Unrestricted File Upload

A remote code execution vulnerability has been identified in GetSimpleCMS version 3.2.1. This issue arises from the upload.php endpoint, which allows authenticated users to upload arbitrary files without adequate validation of MIME types or file extensions. Exploitation involves uploading a .pht file containing PHP code, which can bypass blacklist-based restrictions and execute the payload by accessing the file directly through the web server. The vulnerability is rooted in the application's reliance on a blacklist for file type filtering, rather than a more secure whitelist approach.

Impact

Successful exploitation allows authenticated users to execute arbitrary PHP code on the server, potentially leading to full system compromise.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a file through the upload.php endpoint. The file should be named with a polyglot or disguised extension, such as '.pht', and contain PHP code. Once uploaded, the file can be accessed directly via the web server to execute the payload.