GetSimple CMS Remote Code Execution Vulnerability in Component Edit Function

A remote code execution vulnerability has been identified in GetSimple CMS versions 3.3.16 prior to 3.3.21. The issue allows authenticated users with access to the Edit component to inject arbitrary PHP code into a component file. This injected code can then be executed via a crafted query string, running under the web server's user context.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running as the web server user, typically www-data. This could lead to a complete takeover of the application and potential lateral movement within the internal network.

Reproduction

To reproduce this vulnerability, an authenticated user must access the 'Edit Component' functionality. This feature allows users to write raw input into a PHP file located under admin/components/. Once the file is saved, it is included when the front page is rendered, executing any valid PHP code under the web server's user context. After injecting a web shell or similar payload, commands can be executed through the web shell, demonstrating the remote code execution capability.

Remediation

Users are advised to update to GetSimple CMS version 3.3.22 or later, where this vulnerability has been patched.