BigTree Critical Security Updates (4.1.12, 4.2.6, manual 4.0.x)

timbuckingham · August 17, 2015 9:41am

A critical security bug was disclosed privately to the BigTree team that can expose your database configuration file to public viewing. It can also potentially be used to view other world-readable files on the server hosting BigTree. BigTree 4.1.12 and 4.2.6 include a fix for this vulnerability in their /core/launch.php files, however, older versions of BigTree 4.1 and all versions of 4.0.x did not use launch.php and instead have /site/index.php written by the installer to include routing logic.

If your /site/index.php file is not just 4 or 5 lines including /core/launch.php you must manually apply the following patch:

        // Prevent path manipulations
	$bigtree["path"] = array_filter($bigtree["path"],function($val) {
		if ($val == "..") {
			die();
		}
		return true;
	});

This patch should be applied immediately after the following line in /site/index.php:

$path = $bigtree["path"]; // Backwards compatibility

If your /site/index.php uses launch.php, it is recommended that you update immediately to 4.1.12 or 4.2.6!

Discussion Forum

BigTree CMS Discussion Forum

#1 August 17, 2015 9:41am

BigTree Critical Security Updates (4.1.12, 4.2.6, manual 4.0.x)

Board footer