GetSimple Support Forum

Full Version: GetSimpleCMS 3.2.1 Arbitrary File Upload
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I Read about this vulnerability
in various sites like this...

http://packetstormsecurity.com/files/121...-shell.txt

http://outlaws-lab.blogspot.it/2013/05/g...-file.html

Is it Dangerous????
IMHO it's a bullshit vulnerability.
Regardless, we now have whitelist capability in later versions.
Thanks for the replying Shawn.
I am glad to hear this, in fact, as the sites say the solutions should be...

- The application should use whitelisting technique which compare the file extensions and mime types aganist
- acceptable mime types and extensions for more information google for "whitelisting vs blacklisting


Anyway, I'm going to look around to report other stuff about hypothetical GS vulnerabilities.



(2013-12-26, 14:13:43)shawn_a Wrote: [ -> ]IMHO it's a bullshit vulnerability.
Regardless, we now have whitelist capability in later versions.
Well this is an authenticated upload, not some public thing. Who would you be protecting against ?
We do not even have real multi user support, so not users.

Of course you can rename a file extension, it is like a giant no shit sherlock.

If you have front side uploads then security needs to be handled much different.
I got it.
It's a ph00kin' false allarme :-D

(2013-12-27, 01:03:39)shawn_a Wrote: [ -> ]Well this is an authenticated upload, not some public thing. Who would you be protecting against ?
We do not even have real multi user support, so not users.

Of course you can rename a file extension, it is like a giant no shit sherlock.

If you have front side uploads then security needs to be handled much different.