GetSimple CMS Cross-Site Request Forgery Vulnerability in File Upload Endpoint

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in GetSimple CMS, affecting all versions through 3.3.22. The issue arises because the administrative file upload endpoint lacks CSRF protection, allowing attackers to upload arbitrary files without the victim's knowledge or consent. Exploitation requires the victim to be an authenticated user, such as an admin, and to visit a webpage controlled by the attacker.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads, which can lead to the hosting of persistent malicious content, abuse of storage resources, or defacement of the application. Additionally, if combined with inadequate file validation, such as permitting SVG uploads, this vulnerability could be exploited to execute Stored Cross-Site Scripting (XSS) attacks without direct user interaction.

Reproduction

To reproduce this vulnerability, upload a Proof of Concept (PoC) script to a local web server. Log in to GetSimple CMS as an authenticated user. While still logged in, open the PoC in the same browser. The malicious page will automatically send a POST request to the file upload endpoint. After the request is processed, the uploaded file will appear in the designated uploads directory.

Remediation

To address this vulnerability, implement CSRF tokens for all state-changing requests, validate the Origin and/or Referer headers, and require explicit user interaction for file uploads.