This is a little explaination of the vulnerability and how to exploit it.
The vulnerability is in the account settings request, which is used to change the account name, company and password.
A normal request looks like this:
1 2 3 4 5 6 7 8 9 10 11 12 13
The vulnerability exists in
1 2 3 4 5
Here is clearly isn’t doing any checks to prevent CSRF.
So exploiting this is very simple, you just have to lure someone who is already logged into the application is visit a page containing this code:
1 2 3 4 5 6 7 8 9 10 11 12
The values here can be changed to anything, it just automatically issues a POST request to
http:/bigtree/site/index.php/admin/users/profile/update/ with the following arguments:
Unfortunately it is reasonably intrusive because when loaded the victim will see this:
So the user will immediately know that their profile details might have changed.
So I contacted Tim Buckingham (the lead developer for BigTree CMS) about this issue yesterday (on 7th March 2015) and he replied the next day informing me that he’d fixed the issue.
You can see the fix here.
The next full releases of BigTree CMS (4.1.6 and 4.0.10) should be out next week and will incorporate this fix.
Happy Hacking :–)
Update (07/04/2015): BigTree CMS have finally released the next version (4.2) that includes the fix, you can download the latest version from here.