BigTree 4.2.8: Object Injection & Improper Filename Sanitation

BigTree 4.2.8: Object Injection & Improper Filename Sanitation

Date: 2016-03-15 13:44:27
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: BigTree 4.2.8
Fixed in: BigTree 4.2.9
Fixed Version Link:
Vendor Website:
Vulnerability Type: Object Injection & Improper Filename Sanitation
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 03/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

BigTree CMS is a CMS written in PHP. In version 4.2.8, it is vulnerable to object injection. The impact of this vulnerability is currently small - privileged users can update settings they are not allowed to update - but may be more extensive depending on installed plugins.

In addition to the object injection, BigTree also has a function called cleanFile which is supposed to prevent directory traversal, but which can be bypassed. The function is not currently used by BigTree itself, but may be used by plugins.

3. Object Injection


CVSS: Low 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N

BigTree passes unvalidated user input to unserialize, leading to PHP object injection. The vulnerability is in the backend, so a user account with the role developer or admin is required. A successful exploitation may for example lead to an admin editing settings they are not authorized to edit.

In BigTree, the admin role is less privileged than the developer role. For example, an admin can only edit a subset of the settings.

The impact of the vulnerability is currently small, as BigTree does not implement __wakeup in any classes, none of the classes implement the iterator interface, and __destruct is only implemented in a limited number of classes, and only one of the cases seems relevant to security: The destructor of the BigTreeCMSBase class updates all settings, without again validating if the user is allowed to update the setting and without re-validating the value of a setting.

This may for example lead to persistent XSS - the admin does not have the right to post scripts, as this would weaken the distinction between admins and developers - by changing the colophon setting. An admin has the right to edit this setting, but the input is HTML encoded before putting it in the database. By bypassing this encoding, a malicious admin can inject scripts.

It should be noted that custom modules may contain classes that lead to a bigger security impact of this vulnerability.

Proof of Concept

The attack can be achieved in a browser by visiting the following URL and clicking on save:

http://localhost/BigTree-CMS/site/index.php/admin/trees/edit/2/?view_data=[INJECTED OBJECT]

A payload to update the setting "bigtree-internal-security-policy" may for example be:


The actual request is a POST request to /BigTree-CMS/site/index.php/admin/trees/edit/process/, where the _bigtree_return_view_data field contains the base64 encoded payload.


/process.php $return_view_data = unserialize(base64_decode($_POST["_bigtree_return_view_data"])); if (!$bigtree["form"]["return_view"] || $bigtree["form"]["return_view"] == $return_view_data["view"]) { $redirect_append = array(); unset($return_view_data["view"]); // We don't need the view passed back. foreach ($return_view_data as $key => $val) { $redirect_append[] = "$key=".urlencode($val); } $redirect_append = "?".implode("&",$redirect_append); } /cms.php function __destruct() { foreach ($this->AutoSaveSettings as $id => $obj) { if (is_object($obj)) { BigTreeAdmin::updateSettingValue($id,get_object_vars($obj)); } else { BigTreeAdmin::updateSettingValue($id,$obj); } } }

4. Improper Filename Sanitation


The function cleanFile is supposed to prevent directory traversal, but currently it does not fulfill its task, as an attacker can easily bypass the filter via ....//. The function is currently not used for any sensitive tasks, but it may be used by extensions or in the future.


/* Function: cleanFile Makes sure that a file path doesn't contain abusive characters (i.e. ../) Parameters: file - A file name Returns: Cleaned up string. */ static function cleanFile($file) { return str_replace("../","",$file); }

5. Solution

To mitigate this issue please upgrade at least to version 4.2.9:

Please note that a newer version might already be available.

6. Report Timeline

01/29/2016 Informed Vendor about Issue
02/02/2016 Vendor sends fixes for verification
02/10/2016 Verified Fixes
02/12/2016 Vendor releases Fixes
03/15/2016 Disclosed to public