SB2017060601 - Multiple vulnerabilities in BigTree CMS
Published: June 6, 2017
Security Bulletin ID
SB2017060601
Severity
Medium
Patch available
NO
Number of vulnerabilities
4
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2017-9365)
The vulnerability allows a remote attacker to perform CSRF attack.The vulnerability exists due to absent validation of HTTP request origin when unlocking modules and website pages in /admin/pages/revisions.php script. A remote attacker can trick a logged-in administrator into visiting a specially crafted web page and unlock arbitrary pages or modules on the vulnerable website.
Exploitation example for unlocking page with id=1:
http://[host]/admin/pages/revisions/1/?force=false
2) Unrestricted file upload (CVE-ID: CVE-2017-9364)
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to absent validation of certain file extensions when uploading files. A remote attacker can upload files with .pht and .phtml extensions and execute them with privileges of the web server.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system, but requires that the web server is configured to treat the affected extensions as PHP files.
3) Cross-site request forgery (CVE-ID: CVE-2017-9379)
The vulnerability allows a remote attacker to perform CSRF attack.The vulnerability exists due to absent validation of HTTP request origin in "\BigTree-CMS-4.2.18\core\admin\modules\dashboard\vitals-statistics\404\clear.php" and "\core\admin\modules\dashboard\vitals-statistics\404\create-301.php" scripts. A remote attacker can trick a logged-in administrator into visiting a specially crafted web page and delete contents of 404 page or create a HTTP 301 redirect to arbitrary website.
4) Directory traversal (CVE-ID: CVE-2017-9428)
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to insufficient sanitization of user-supplied data passed via "directory" HTTP POST parameter to "/index.php/admin/ajax/developer/extensions/file-browser/" URL. A remote authenticated user with access to administrative area can use directory traversal sequences to view contents of arbitrary files on the system.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://github.com/bigtreecms/BigTree-CMS/commit/c17d09b05d9c20c214ee2f4fbb52f7307a7b4b6f
- https://github.com/bigtreecms/BigTree-CMS/issues/281
- https://github.com/bigtreecms/BigTree-CMS/commit/b72293946951cc650eaf51f5d2f62ceac6335e12
- https://github.com/bigtreecms/BigTree-CMS/issues/280
- https://github.com/bigtreecms/BigTree-CMS/issues/287
- https://github.com/bigtreecms/BigTree-CMS/issues/289