#1 August 17, 2015 9:41am

timbuckingham
Administrator
From: Baltimore, MD
Registered: April 2, 2012
Posts: 903

BigTree Critical Security Updates (4.1.12, 4.2.6, manual 4.0.x)

A critical security bug was disclosed privately to the BigTree team that can expose your database configuration file to public viewing. It can also potentially be used to view other world-readable files on the server hosting BigTree. BigTree 4.1.12 and 4.2.6 include a fix for this vulnerability in their /core/launch.php files, however, older versions of BigTree 4.1 and all versions of 4.0.x did not use launch.php and instead have /site/index.php written by the installer to include routing logic.

If your /site/index.php file is not just 4 or 5 lines including /core/launch.php you must manually apply the following patch:

        // Prevent path manipulations
	$bigtree["path"] = array_filter($bigtree["path"],function($val) {
		if ($val == "..") {
			die();
		}
		return true;
	});

This patch should be applied immediately after the following line in /site/index.php:

$path = $bigtree["path"]; // Backwards compatibility

If your /site/index.php uses launch.php, it is recommended that you update immediately to 4.1.12 or 4.2.6!

Offline

Board footer

Powered by FluxBB

The Discussion Forum is not available on displays of this size.