Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    BigTree 4.2.8
Fixed in:            BigTree 4.2.9
Fixed Version Link:  https://www.bigtreecms.org/download/
Vendor Website:      https://www.bigtreecms.org/
Vulnerability Type:  Object Injection & Improper Filename Sanitation
Remote Exploitable:  Yes
Reported to vendor:  01/29/2016
Disclosed to public: 03/15/2016
Release mode:        Coordinated Release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

BigTree CMS is a CMS written in PHP. In version 4.2.8, it is vulnerable to
object injection. The impact of this vulnerability is currently small -
privileged users can update settings they are not allowed to update - but may
be more extensive depending on installed plugins.

In addition to the object injection, BigTree also has a function called
cleanFile which is supposed to prevent directory traversal, but which can be
bypassed. The function is not currently used by BigTree itself, but may be used
by plugins.

3. Object Injection

Description

CVSS: Low 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N

BigTree passes unvalidated user input to unserialize, leading to PHP object
injection. The vulnerability is in the backend, so a user account with the role
developer or admin is required. A successful exploitation may for example lead
to an admin editing settings they are not authorized to edit.

In BigTree, the admin role is less privileged than the developer role. For
example, an admin can only edit a subset of the settings.

The impact of the vulnerability is currently small, as BigTree does not
implement __wakeup in any classes, none of the classes implement the iterator
interface, and __destruct is only implemented in a limited number of classes,
and only one of the cases seems relevant to security: The destructor of the
BigTreeCMSBase class updates all settings, without again validating if the user
is allowed to update the setting and without re-validating the value of a
setting.

This may for example lead to persistent XSS - the admin does not have the right
to post scripts, as this would weaken the distinction between admins and
developers - by changing the colophon setting. An admin has the right to edit
this setting, but the input is HTML encoded before putting it in the database.
By bypassing this encoding, a malicious admin can inject scripts.

It should be noted that custom modules may contain classes that lead to a
bigger security impact of this vulnerability.

Proof of Concept

The attack can be achieved in a browser by visiting the following URL and
clicking on save:

http://localhost/BigTree-CMS/site/index.php/admin/trees/edit/2/?view_data=
[INJECTED OBJECT]

A payload to update the setting "bigtree-internal-security-policy" may for
example be:

a:2:{s:7:"bigtree";O:14:"BigTreeCMSBase":2:{s:16:"AutoSaveSettings";a:1:
{s:32:"bigtree-internal-security-policy";a:1:{s:3:"foo";s:3:"bar";}}
s:15:"ModuleClassList";a:2:{s:9:"DemoTrees";s:5:"trees";s:10:"DemoQuotes";
s:6:"quotes";}}s:4:"view";s:6:"foobar";}

The actual request is a POST request to /BigTree-CMS/site/index.php/admin/trees
/edit/process/, where the _bigtree_return_view_data field contains the base64
encoded payload.

Code
/process.php
    $return_view_data = unserialize(base64_decode($_POST["_bigtree_return_view_data"]));
    if (!$bigtree["form"]["return_view"] || $bigtree["form"]["return_view"] == $return_view_data["view"]) {
	    $redirect_append = array();
	    unset($return_view_data["view"]); // We don't need the view passed back.
	    foreach ($return_view_data as $key => $val) {
		    $redirect_append[] = "$key=".urlencode($val);
	    }
	    $redirect_append = "?".implode("&",$redirect_append);
    }

/cms.php
    function __destruct() {
	    foreach ($this->AutoSaveSettings as $id => $obj) {
		    if (is_object($obj)) {
			    BigTreeAdmin::updateSettingValue($id,get_object_vars($obj));
		    } else {
			    BigTreeAdmin::updateSettingValue($id,$obj);
		    }
	    }
    }

4. Improper Filename Sanitation

Description

The function cleanFile is supposed to prevent directory traversal, but
currently it does not fulfill its task, as an attacker can easily bypass the
filter via ....//. The function is currently not used for any sensitive tasks,
but it may be used by extensions or in the future.

Code

/*
	Function: cleanFile
		Makes sure that a file path doesn't contain abusive characters (i.e. ../)

	Parameters:
		file - A file name

	Returns:
		Cleaned up string.
*/

static function cleanFile($file) {
	return str_replace("../","",$file);
}

5. Solution

To mitigate this issue please upgrade at least to version 4.2.9:

https://www.bigtreecms.org/download/

Please note that a newer version might already be available.

6. Report Timeline

01/29/2016 Informed Vendor about Issue
02/02/2016 Vendor sends fixes for verification
02/10/2016 Verified Fixes
02/12/2016 Vendor releases Fixes
03/15/2016 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/BigTree-428-Object-Injection-amp-Improper-Filename-Sanitation-152.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany