Summary
This host is installed with BigTree CMS and is prone to multiple vulnerabilities
Impact
Successful exploitation will allow remote attackers to insert arbitrary HTML or script code, which will be executed in a user's browser session in the context of an affected site, hijack user session or manipulate SQL queries by injecting arbitrary SQL code.
Impact Level: Application
Solution
Upgrade to version 4.0 or later,
For updates refer to http://www.bigtreecms.org
Insight
Multiple flaws are due to,
- Improper sanitation of user-supplied input passed via the URL to the site/index.php script and 'module' parameter upon submission to '/admin/developer/modules/views/add/index.php' script - Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php and core/admin/modules/users/update.php
Affected
BigTree CMS version 4.0 RC2 and prior
Detection
Send a crafted HTTP GET request and check whether it is able to read the database version or not.
References
Severity
Classification
-
CVE CVE-2013-4879, CVE-2013-4880, CVE-2013-4881, CVE-2013-5313 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Arkeia Appliance Path Traversal Vulnerability
- ActualAnalyzer Lite 'ant' Cookie Parameter Remote Command Execution Vulnerability
- Awstats Configuration File Remote Arbitrary Command Execution Vulnerability
- AdPeeps 'index.php' Multiple Vulnerabilities.
- 3Com OfficeConnect VPN Firewall Default Password Security Bypass Vulnerability