Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

design flaw in BigTree CMS Less than 4.2.18 #282

Closed
xfkxfk opened this issue May 17, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@xfkxfk
Copy link

commented May 17, 2017

There is two design flaw in BigTree CMS Less than 4.2.18

one.
the administrator-level user can delete or edit another administrator-level user, resulting in malicious delete or edit.
the current user can only delete or edit users who have less privileges than him.

two.
the current user can delete himself Bypass system restrictions(The system is disabled by default).
the current user may net delete himself.

the Flawed code:
admin\ajax\users\delete.php

$admin->requireLevel(1);
$admin->deleteUser($id);

\core\inc\bigtree\admin.php

function requireLevel($level) {
			global $admin,$bigtree,$cms;
			if (!isset($this->Level) || $this->Level < $level) {
				define("BIGTREE_ACCESS_DENIED",true);
				$this->stop(file_get_contents(BigTree::path("admin/pages/_denied.php")));
			}
		}

function deleteUser($id) {
			$id = sqlescape($id);
			// If this person has higher access levels than the person trying to update them, fail.
			$current = static::getUser($id);
			if ($current["level"] > $this->Level) {
				return false;
			}

			sqlquery("DELETE FROM bigtree_users WHERE id = '$id'");
			$this->track("bigtree_users",$id,"deleted");

			return true;
		}
@timbuckingham

This comment has been minimized.

Copy link
Collaborator

commented May 25, 2017

Being able to delete yourself (if you tried very hard!) is now fixed.

We don't really consider being able to delete equal leveled users as a design flaw. Often times there will be multiple administrators at an organization and one will leave the organization. Having to contact your site's developer to remove a user from your system would be an undue burden. Administrator level access already has the ability to delete the entire site content - if you can't trust one of them not to delete other administrator users you're already in a lot of trouble.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.