CVE-2017-9442

Name of the Vulnerable Software and Affected Versions BigTree CMS versions 4.2.18 and earlier

Description The issue allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell. This is related to the extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. The problem exists in files coreadminmodulesdeveloperextensionsinstallunpack.php and coreadminmodulesdeveloperpackagesinstallunpack.php. The vendor notes that any installed package or extension must be implicitly trusted as they have the ability to write PHP files.

Recommendations For BigTree CMS versions 4.2.18 and earlier, consider disabling the package installation feature until a patch is available to prevent the upload of crafted packages. Restrict access to the unpack.php files in the coreadminmodulesdeveloperextensionsinstall and coreadminmodulesdeveloperpackagesinstall directories to minimize the risk of exploitation. Avoid using the package installation feature with untrusted packages, as they may contain PHP web shells. At the moment, there is no information about a newer version that contains a fix for this vulnerability.