Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
SQL code execution in bigtreecms 4.2.18 #292
Multiple Security Issue of SQL code execution exists in BigTree CMS Less than 4.2.18
continue installExtension() function
we can execute any sql code at here.
we can get the web root directory at here ：
The same vulnerability exists in the file \BigTree-CMS-4.2.18\core\admin\modules\developer\packages\install\process.php
This is a feature and one that we don't consider a security hole. You must implicitly trust any package or extension you install as they all have the ability to write PHP files (and as they are PHP scripts could already remotely call the database and write to the file system).
When you install the package or extension must verify the contents of the file include, rather than the user to confirm their own. If you install a malicious file will be attacked.
Without signing extensions with a private key there's no way for the system to verify an extension hasn't been modified. If an extension has been modified then it's free to execute any PHP code it wants. Having the SQL inside the manifest or inside of sqlquery() calls in a PHP file included in the extension makes little difference. Extensions can already install files into the public root (inside /site/extensions/) so if you simply included a "shell.php" file inside of the /public/ folder in an extension it would be a much easier way to write a shell script than through the manifest SQL.