CVE-2020-26670
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary operating system commands on BigTree CMS servers through the 'Create a New Setting' function. Attackers can achieve remote code execution with the privileges of the web server process. All BigTree CMS installations version 4.4.10 and earlier are affected.
💻 Affected Systems
- BigTree CMS
📦 What is this software?
Bigtree Cms by Bigtreecms
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, install malware, exfiltrate data, pivot to internal networks, and maintain persistent access.
Likely Case
Attackers gain shell access to the web server, allowing them to read/write files, access databases, and potentially escalate privileges to compromise the entire server.
If Mitigated
With proper network segmentation and least privilege, impact is limited to the web application directory and database access.
🎯 Exploit Status
Exploit requires authenticated access to the admin panel. Public exploit code is available and easy to use.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.11 and later
Vendor Advisory: https://github.com/bigtreecms/BigTree-CMS/releases/tag/4.4.11
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download BigTree CMS 4.4.11 or later from the official repository. 3. Replace all core files with the updated version. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable 'Create a New Setting' Function
allTemporarily disable the vulnerable functionality by removing or restricting access to the settings creation feature.
# Modify admin/modules/settings/create.php to require additional authentication or disable functionality
Restrict Admin Panel Access
allLimit access to the admin panel to specific IP addresses using web server configuration.
# Apache: Use .htaccess with Require ip directives
# Nginx: Use allow/deny directives in server configuration
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the BigTree CMS server from critical systems
- Enable detailed logging and monitoring for suspicious admin panel activities and command execution attempts
🔍 How to Verify
Check if Vulnerable:
Check the BigTree CMS version in the admin panel or core/version.php file. If version is 4.4.10 or earlier, the system is vulnerable.Check Version:
cat core/version.php | grep 'define' | grep 'BIGTREE_VERSION'Verify Fix Applied:
Verify the version number shows 4.4.11 or later. Test the 'Create a New Setting' function with safe test inputs to ensure command execution is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin/modules/settings/create.php with shell metacharacters
- Multiple failed login attempts followed by successful admin login and settings creation
Network Indicators:
- Outbound connections from web server to unexpected external IPs
- Unusual process execution patterns from web server user
SIEM Query:
source="web_logs" AND (uri="/admin/modules/settings/create.php" AND (method="POST") AND (body CONTAINS "$" OR body CONTAINS "|" OR body CONTAINS ";" OR body CONTAINS "`"))