New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL code execution in bigtreecms 4.2.18 #292
Comments
|
This is a feature and one that we don't consider a security hole. You must implicitly trust any package or extension you install as they all have the ability to write PHP files (and as they are PHP scripts could already remotely call the database and write to the file system). |
|
When you install the package or extension must verify the contents of the file include, rather than the user to confirm their own. If you install a malicious file will be attacked. |
|
Without signing extensions with a private key there's no way for the system to verify an extension hasn't been modified. If an extension has been modified then it's free to execute any PHP code it wants. Having the SQL inside the manifest or inside of sqlquery() calls in a PHP file included in the extension makes little difference. Extensions can already install files into the public root (inside /site/extensions/) so if you simply included a "shell.php" file inside of the /public/ folder in an extension it would be a much easier way to write a shell script than through the manifest SQL. |
Multiple Security Issue of SQL code execution exists in BigTree CMS Less than 4.2.18
FILE:
\BigTree-CMS-4.2.18\core\admin\modules\developer\extensions\install\process.php
continue installExtension() function
file:\BigTree-CMS-4.2.18\core\inc\bigtree\admin.php
Note here:
we can execute any sql code at here.
POC:
1、build extension
2、Add modules, templates, callouts, field types, feeds, and settings to your extension.
3、Add additional files to your extension.
4、create extension
5、download extension(a zip file)
6、modify manifest.json content in extension(a zip file)
7、install extension(upload and install)
8、the sql code will be execute when install successful
Here we write a file to the web root directory:
we can get the web root directory at here :
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/ajax/developer/extensions/file-browser/
when you select a file,then save-files,you can get the web root directory
The same vulnerability exists in the file \BigTree-CMS-4.2.18\core\admin\modules\developer\packages\install\process.php
thank you~
email : xfkxfk@secbook.net
The text was updated successfully, but these errors were encountered: