#VU6901 Cross-site request forgery in BigTree CMS - CVE-2017-9365

Cybersecurity Help s.r.o.

Published: 2017-06-02 | Updated: 2017-06-06

Vulnerability identifier: #VU6901

Vulnerability risk: Low

CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2017-9365

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
BigTree CMS
Web applications / CMS

Vendor: BigTree CMS

Description
The vulnerability allows a remote attacker to perform CSRF attack.

The vulnerability exists due to absent validation of HTTP request origin when unlocking modules and website pages in /admin/pages/revisions.php script. A remote attacker can trick a logged-in administrator into visiting a specially crafted web page and unlock arbitrary pages or modules on the vulnerable website.

Exploitation example for unlocking page with id=1:

http://[host]/admin/pages/revisions/1/?force=false

Mitigation
Install update from GIT repository.

Vulnerable software versions

BigTree CMS: 4.2 - 4.2.18

External links
https://github.com/bigtreecms/BigTree-CMS/commit/c17d09b05d9c20c214ee2f4fbb52f7307a7b4b6f
https://github.com/bigtreecms/BigTree-CMS/issues/281

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in BigTree CMS