| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Mar 2016 15:40:51 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] BigTree 4.2.8: Object Injection & Improper Filename Sanitation
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: BigTree 4.2.8
Fixed in: BigTree 4.2.9
Fixed Version Link: https://www.bigtreecms.org/download/
Vendor Website: https://www.bigtreecms.org/
Vulnerability Type: Object Injection & Improper Filename Sanitation
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 03/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
BigTree CMS is a CMS written in PHP. In version 4.2.8, it is vulnerable to
object injection. The impact of this vulnerability is currently small -
privileged users can update settings they are not allowed to update - but may
be more extensive depending on installed plugins.
In addition to the object injection, BigTree also has a function called
cleanFile which is supposed to prevent directory traversal, but which can be
bypassed. The function is not currently used by BigTree itself, but may be used
by plugins.
3. Object Injection
Description
CVSS: Low 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N
BigTree passes unvalidated user input to unserialize, leading to PHP object
injection. The vulnerability is in the backend, so a user account with the role
developer or admin is required. A successful exploitation may for example lead
to an admin editing settings they are not authorized to edit.
In BigTree, the admin role is less privileged than the developer role. For
example, an admin can only edit a subset of the settings.
The impact of the vulnerability is currently small, as BigTree does not
implement __wakeup in any classes, none of the classes implement the iterator
interface, and __destruct is only implemented in a limited number of classes,
and only one of the cases seems relevant to security: The destructor of the
BigTreeCMSBase class updates all settings, without again validating if the user
is allowed to update the setting and without re-validating the value of a
setting.
This may for example lead to persistent XSS - the admin does not have the right
to post scripts, as this would weaken the distinction between admins and
developers - by changing the colophon setting. An admin has the right to edit
this setting, but the input is HTML encoded before putting it in the database.
By bypassing this encoding, a malicious admin can inject scripts.
It should be noted that custom modules may contain classes that lead to a
bigger security impact of this vulnerability.
Proof of Concept
The attack can be achieved in a browser by visiting the following URL and
clicking on save:
http://localhost/BigTree-CMS/site/index.php/admin/trees/edit/2/?view_data=
[INJECTED OBJECT]
A payload to update the setting "bigtree-internal-security-policy" may for
example be:
a:2:{s:7:"bigtree";O:14:"BigTreeCMSBase":2:{s:16:"AutoSaveSettings";a:1:
{s:32:"bigtree-internal-security-policy";a:1:{s:3:"foo";s:3:"bar";}}
s:15:"ModuleClassList";a:2:{s:9:"DemoTrees";s:5:"trees";s:10:"DemoQuotes";
s:6:"quotes";}}s:4:"view";s:6:"foobar";}
The actual request is a POST request to /BigTree-CMS/site/index.php/admin/trees
/edit/process/, where the _bigtree_return_view_data field contains the base64
encoded payload.
Code
/process.php
$return_view_data = unserialize(base64_decode($_POST["_bigtree_return_view_data"]));
if (!$bigtree["form"]["return_view"] || $bigtree["form"]["return_view"] == $return_view_data["view"]) {
$redirect_append = array();
unset($return_view_data["view"]); // We don't need the view passed back.
foreach ($return_view_data as $key => $val) {
$redirect_append[] = "$key=".urlencode($val);
}
$redirect_append = "?".implode("&",$redirect_append);
}
/cms.php
function __destruct() {
foreach ($this->AutoSaveSettings as $id => $obj) {
if (is_object($obj)) {
BigTreeAdmin::updateSettingValue($id,get_object_vars($obj));
} else {
BigTreeAdmin::updateSettingValue($id,$obj);
}
}
}
4. Improper Filename Sanitation
Description
The function cleanFile is supposed to prevent directory traversal, but
currently it does not fulfill its task, as an attacker can easily bypass the
filter via ....//. The function is currently not used for any sensitive tasks,
but it may be used by extensions or in the future.
Code
/*
Function: cleanFile
Makes sure that a file path doesn't contain abusive characters (i.e. ../)
Parameters:
file - A file name
Returns:
Cleaned up string.
*/
static function cleanFile($file) {
return str_replace("../","",$file);
}
5. Solution
To mitigate this issue please upgrade at least to version 4.2.9:
https://www.bigtreecms.org/download/
Please note that a newer version might already be available.
6. Report Timeline
01/29/2016 Informed Vendor about Issue
02/02/2016 Vendor sends fixes for verification
02/10/2016 Verified Fixes
02/12/2016 Vendor releases Fixes
03/15/2016 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/BigTree-428-Object-Injection-amp-Improper-Filename-Sanitation-152.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists