There is two design flaw in BigTree CMS Less than 4.2.18
one.
the administrator-level user can delete or edit another administrator-level user, resulting in malicious delete or edit.
the current user can only delete or edit users who have less privileges than him.
two.
the current user can delete himself Bypass system restrictions(The system is disabled by default).
the current user may net delete himself.
the Flawed code:
admin\ajax\users\delete.php
$admin->requireLevel(1);
$admin->deleteUser($id);
\core\inc\bigtree\admin.php
function requireLevel($level) {
global $admin,$bigtree,$cms;
if (!isset($this->Level) || $this->Level < $level) {
define("BIGTREE_ACCESS_DENIED",true);
$this->stop(file_get_contents(BigTree::path("admin/pages/_denied.php")));
}
}
function deleteUser($id) {
$id = sqlescape($id);
// If this person has higher access levels than the person trying to update them, fail.
$current = static::getUser($id);
if ($current["level"] > $this->Level) {
return false;
}
sqlquery("DELETE FROM bigtree_users WHERE id = '$id'");
$this->track("bigtree_users",$id,"deleted");
return true;
}
The text was updated successfully, but these errors were encountered:
Being able to delete yourself (if you tried very hard!) is now fixed.
We don't really consider being able to delete equal leveled users as a design flaw. Often times there will be multiple administrators at an organization and one will leave the organization. Having to contact your site's developer to remove a user from your system would be an undue burden. Administrator level access already has the ability to delete the entire site content - if you can't trust one of them not to delete other administrator users you're already in a lot of trouble.
There is two design flaw in BigTree CMS Less than 4.2.18
one.
the administrator-level user can delete or edit another administrator-level user, resulting in malicious delete or edit.
the current user can only delete or edit users who have less privileges than him.
two.
the current user can delete himself Bypass system restrictions(The system is disabled by default).
the current user may net delete himself.
the Flawed code:
admin\ajax\users\delete.php
\core\inc\bigtree\admin.php
The text was updated successfully, but these errors were encountered: