BigTree 4.2.8 Object Injection / Improper Filename Sanitization

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: BigTree 4.2.8  
Fixed in: BigTree 4.2.9  
Fixed Version Link: https://www.bigtreecms.org/download/  
Vendor Website: https://www.bigtreecms.org/  
Vulnerability Type: Object Injection & Improper Filename Sanitation  
Remote Exploitable: Yes  
Reported to vendor: 01/29/2016  
Disclosed to public: 03/15/2016  
Release mode: Coordinated Release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
BigTree CMS is a CMS written in PHP. In version 4.2.8, it is vulnerable to  
object injection. The impact of this vulnerability is currently small -  
privileged users can update settings they are not allowed to update - but may  
be more extensive depending on installed plugins.  
  
In addition to the object injection, BigTree also has a function called  
cleanFile which is supposed to prevent directory traversal, but which can be  
bypassed. The function is not currently used by BigTree itself, but may be used  
by plugins.  
  
3. Object Injection  
  
Description  
  
CVSS: Low 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N  
  
BigTree passes unvalidated user input to unserialize, leading to PHP object  
injection. The vulnerability is in the backend, so a user account with the role  
developer or admin is required. A successful exploitation may for example lead  
to an admin editing settings they are not authorized to edit.  
  
In BigTree, the admin role is less privileged than the developer role. For  
example, an admin can only edit a subset of the settings.  
  
The impact of the vulnerability is currently small, as BigTree does not  
implement __wakeup in any classes, none of the classes implement the iterator  
interface, and __destruct is only implemented in a limited number of classes,  
and only one of the cases seems relevant to security: The destructor of the  
BigTreeCMSBase class updates all settings, without again validating if the user  
is allowed to update the setting and without re-validating the value of a  
setting.  
  
This may for example lead to persistent XSS - the admin does not have the right  
to post scripts, as this would weaken the distinction between admins and  
developers - by changing the colophon setting. An admin has the right to edit  
this setting, but the input is HTML encoded before putting it in the database.  
By bypassing this encoding, a malicious admin can inject scripts.  
  
It should be noted that custom modules may contain classes that lead to a  
bigger security impact of this vulnerability.  
  
Proof of Concept  
  
The attack can be achieved in a browser by visiting the following URL and  
clicking on save:  
  
http://localhost/BigTree-CMS/site/index.php/admin/trees/edit/2/?view_data=  
[INJECTED OBJECT]  
  
A payload to update the setting "bigtree-internal-security-policy" may for  
example be:  
  
a:2:{s:7:"bigtree";O:14:"BigTreeCMSBase":2:{s:16:"AutoSaveSettings";a:1:  
{s:32:"bigtree-internal-security-policy";a:1:{s:3:"foo";s:3:"bar";}}  
s:15:"ModuleClassList";a:2:{s:9:"DemoTrees";s:5:"trees";s:10:"DemoQuotes";  
s:6:"quotes";}}s:4:"view";s:6:"foobar";}  
  
The actual request is a POST request to /BigTree-CMS/site/index.php/admin/trees  
/edit/process/, where the _bigtree_return_view_data field contains the base64  
encoded payload.  
  
Code  
/process.php  
$return_view_data = unserialize(base64_decode($_POST["_bigtree_return_view_data"]));  
if (!$bigtree["form"]["return_view"] || $bigtree["form"]["return_view"] == $return_view_data["view"]) {  
$redirect_append = array();  
unset($return_view_data["view"]); // We don't need the view passed back.  
foreach ($return_view_data as $key => $val) {  
$redirect_append[] = "$key=".urlencode($val);  
}  
$redirect_append = "?".implode("&",$redirect_append);  
}  
  
/cms.php  
function __destruct() {  
foreach ($this->AutoSaveSettings as $id => $obj) {  
if (is_object($obj)) {  
BigTreeAdmin::updateSettingValue($id,get_object_vars($obj));  
} else {  
BigTreeAdmin::updateSettingValue($id,$obj);  
}  
}  
}  
  
4. Improper Filename Sanitation  
  
Description  
  
The function cleanFile is supposed to prevent directory traversal, but  
currently it does not fulfill its task, as an attacker can easily bypass the  
filter via ....//. The function is currently not used for any sensitive tasks,  
but it may be used by extensions or in the future.  
  
Code  
  
/*  
Function: cleanFile  
Makes sure that a file path doesn't contain abusive characters (i.e. ../)  
  
Parameters:  
file - A file name  
  
Returns:  
Cleaned up string.  
*/  
  
static function cleanFile($file) {  
return str_replace("../","",$file);  
}  
  
5. Solution  
  
To mitigate this issue please upgrade at least to version 4.2.9:  
  
https://www.bigtreecms.org/download/  
  
Please note that a newer version might already be available.  
  
6. Report Timeline  
  
01/29/2016 Informed Vendor about Issue  
02/02/2016 Vendor sends fixes for verification  
02/10/2016 Verified Fixes  
02/12/2016 Vendor releases Fixes  
03/15/2016 Disclosed to public  
  
  
Blog Reference:  
https://blog.curesec.com/article/blog/BigTree-428-Object-Injection-amp-Improper-Filename-Sanitation-152.html  
  
--  
blog: https://blog.curesec.com  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Romain-Rolland-Str 14-24  
13089 Berlin, Germany  
  
  
`