GetSimple CMS Remote Code Execution Vulnerability via Cross-Site Request Forgery in massiveAdmin Plugin

A remote code execution vulnerability has been identified in GetSimple CMS, specifically in the massiveAdmin plugin version 6.0.3, bundled with GetSimpleCMS-CE version 3.3.22. The vulnerability allows an authenticated administrator to overwrite the gsconfig.php file with arbitrary PHP code through the gsconfig editor module. This exploitation is made possible by the absence of Cross-Site Request Forgery (CSRF) protection, enabling a remote unauthenticated attacker to perform a CSRF attack against a logged-in admin, ultimately executing the injected code on the web server.

Impact

Exploitation of this vulnerability leads to remote code execution on the web server, with the executed code running under the privileges of the web server process. This could result in a full server compromise, allowing the attacker to read and write arbitrary files, install backdoors, pivot to internal networks, exfiltrate data, or gain complete control over the hosting environment. The injected code executes on every page load, both frontend and backend, due to the global inclusion of gsconfig.php.

Reproduction

To reproduce this vulnerability, an attacker must first lure a logged-in administrator to visit a crafted HTML page that exploits the CSRF vulnerability. This page should include a form that submits to the admin load.php with the massiveAdmin option, containing the malicious PHP code payload disguised as a configuration update. Once the form is submitted, the massiveAdmin plugin will write the PHP code into the gsconfig.php file, which is executed on every page load, achieving remote code execution.