BigTree CMS is publicly licensed under the GNU Lesser General Public License
It is an open source content management system built on PHP and MySQL
II. Introduction
2.1 Accessing, Modifying or Executing Executable Files
An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
2.2 vulnerability analysis for bigtree cms
At the file
/core/inc/bigtree/apis/storage.php
line 11
The code of Regular expression shows that i could be bypassed by upload a file
Name ‘xxx.php[space]’
var $DisabledExtensionRegEx = '/\.(exe|com|bat|php|rb|py|cgi|pl|sh|asp|aspx)$/i';
Then the attacker could get a webshell by using this method
#' Exploit Title: Unrestricted File Upload
#' Vulnerability Type: Accessing, Modifying or Executing Executable Files (CAPEC-17)
#' Reporting Date: 07-04-2017
#' Author: @math1as
#' Vendor Homepage: https://www.bigtreecms.org/
#' Software Link: https://github.com/bigtreecms
#' Version: v.4.2.16
I. Abstract
BigTree CMS is publicly licensed under the GNU Lesser General Public License
It is an open source content management system built on PHP and MySQL
II. Introduction
2.1 Accessing, Modifying or Executing Executable Files
An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
2.2 vulnerability analysis for bigtree cms$DisabledExtensionRegEx = '/\.(exe|com|bat|php|rb|py|cgi|pl|sh|asp|aspx)$ /i';
At the file
/core/inc/bigtree/apis/storage.php
line 11
The code of Regular expression shows that i could be bypassed by upload a file
Name ‘xxx.php[space]’
var
Then the attacker could get a webshell by using this method
III. References
3.1. CAPEC-17 https://capec.mitre.org/data/definitions/17.html
3.2. https://www.owasp.org/index.php/Unrestricted_File_Upload
The text was updated successfully, but these errors were encountered: