SQL injection in bigtreecms 4.2.18 #304

songtancat · 2017-07-29T07:51:29Z

SQL injection in bigtreecms 4.2.18

Needs an account of normal user with edit module permissions.

in BigTree\core\admin\auto-modules\forms\process.php:

get tags parameter:
$tags = $_POST["_tags"];

call updateItem() or createItem() with tags:
BigTreeAutoModule::updateItem($table,$edit_id,$item,$many_to_many,$tags);

in updateItem() or createItem():

foreach ($tags as $tag) {
    sqlquery("DELETE FROM bigtree_tags_rel WHERE 'table' = '".sqlescape($table)."' AND entry = $id AND tag = $tag"); 
    sqlquery("INSERT INTO bigtree_tags_rel ('table','entry','tag') VALUES ('".sqlescape($table)."',$id,$tag)");
}

call sqlquery() without sqlescape() the tag parameter. cause sql injection

to exploit:

login with edit module permissions.
get the post request of edit module.

POST /BigTree/site/index.php/admin/trees/edit/process/ HTTP/1.1
...
...
Content-Disposition: form-data; name="_tags[0]"

123*
...
...

send it to sqlmap tool

The text was updated successfully, but these errors were encountered:

#304

timbuckingham · 2017-07-29T15:20:39Z

Thanks! This should be fixed in the upcoming 4.2.19 release next week.

timbuckingham added a commit that referenced this issue Jul 29, 2017

Fixing SQL injection data leakage. Thanks songtancat @ GitHub.

3aa4da5

#304

timbuckingham closed this as completed Jul 29, 2017

timbuckingham added this to the 4.2.19 milestone Jul 29, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL injection in bigtreecms 4.2.18 #304

SQL injection in bigtreecms 4.2.18 #304

songtancat commented Jul 29, 2017

timbuckingham commented Jul 29, 2017

SQL injection in bigtreecms 4.2.18 #304

SQL injection in bigtreecms 4.2.18 #304

Comments

songtancat commented Jul 29, 2017

timbuckingham commented Jul 29, 2017