#1 May 25, 2016 4:07pm

timbuckingham
Administrator
From: Baltimore, MD
Registered: April 2, 2012
Posts: 802

BigTree 4.2.11 and 4.1.16 Security Releases

BigTree 4.2.11 and 4.1.16 contain bug fixes that harden the security of the CMS for administrative users. No anonymous-user related exploits are being fixed in these releases.

Blind SQL Injection
A user with access to the administration interface can use a Blind SQL Injection attack on module forms to obtain more information about the database. Blind SQL attacks rely on timing based attacks to ask the database true or false questions. These can be used to find private information in the database such as hashed passwords.

Login Cookie Chain Weakness
Logging out of BigTree in 4.2.10 and lower did not properly clear the user's session chain. The session chain is what is used to verify that a user's login cookies have not been compromised and stolen by another user. A precisely timed attack where a cookie is stolen just before a user logged out could provide the attacker with a login cookie that would never be invalidated.

Cross Site Request Forgeries
Several cross site request forgeries were accessible in the Developer section of the site. Tricking a developer-level user into visiting a malicious URL could cause them to auto-POST data to the target website. As some portions of the Developer tools allow for code injection (i.e. view column parsers) a successful exploit could lead to more problems.

Cross Site Scripting
A developer-level user could be tricked into visiting a link to editing a module view that caused Javascript injection into the page which could lead to the theft of cookies. Successfully causing a SQL error while a site's debug mode was on could also yield a cross site scripting vulnerability.

Thank you to Ashraf Alharbi at security-assessment.com for providing vulnerability analysis related to these security issues.

Offline

Board footer

Powered by FluxBB

The Discussion Forum is not available on displays of this size.