#VU6902 Unrestricted file upload in BigTree CMS - CVE-2017-9364
Published: June 6, 2017
Vulnerability identifier: #VU6902
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Green
CVE-ID: CVE-2017-9364
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
BigTree CMS
BigTree CMS
Software vendor:
BigTree CMS
BigTree CMS
Description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to absent validation of certain file extensions when uploading files. A remote attacker can upload files with .pht and .phtml extensions and execute them with privileges of the web server.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system, but requires that the web server is configured to treat the affected extensions as PHP files.
The vulnerability exists due to absent validation of certain file extensions when uploading files. A remote attacker can upload files with .pht and .phtml extensions and execute them with privileges of the web server.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system, but requires that the web server is configured to treat the affected extensions as PHP files.
Remediation
Install update from GIT repository.