BigTree-CMS 4.2.x < 4.2.11 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9557

Synopsis

The version of BigTree-CMS running on the remote server is affected by multiple vulnerabilities.

Description

The version of BigTree-CMS installed on the remote host is 4.2.x prior to 4.2.11 and is affected by multiple vulnerabilities :

- A flaw exists that allows conducting a session fixation attack. This flaw exists because the application does not properly invalidate an existing session identifier that is stored in the 'bigtree_user_sessions' table as a 'bigtree_admin[login]' token value. This may potentially allow an attacker to impersonate any user with a token value stored in the table.
- A flaw exists that may allow carrying out an SQL injection attack. The issue is due to the 'core/inc/bigtree/sql.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A flaw exists in the 'Install Package' function that is triggered as file types and extensions for uploaded files are not properly validated before being placed in a user-accessible path. This may allow a remote attacker to upload a PHP file and then request it in order to execute arbitrary code with the privileges of the web service.
- A flaw exists as HTTP requests to 'core/admin/modules/users/create.php' do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to create new feeds.
- A flaw exists as HTTP requests to 'admin/developer/feeds/update/<FeedID>' do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a CSRF / XSRF attack causing the victim to update an existing feed that has been specified by the FeedID.
- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'admin/developer/modules/views/edit.php' script does not validate input passed via the URL before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows an XSS attack. This flaw exists because the 'admin/ajax/developer/load-feed-fields.php' script does not validate input passed via the 'table' parameter before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows an XSS attack. This flaw exists because the 'admin/trees/report.php' script does not validate input passed via the report bodies before returning it to users. This may allow an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Solution

Upgrade to BigTree-CMS version 4.2.11 or later.

Plugin Details

Severity: Critical

ID: 9557

Family: CGI

Published: 9/9/2016

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:bigtreecms:bigtree_cms

Patch Publication Date: 5/27/2016

Vulnerability Publication Date: 5/27/2016

Detections

Analytics