Discussion Forum
You are not logged in.
- Topics: Active | Unanswered
#1 August 17, 2015 9:41am
- timbuckingham
- Administrator
- From: Baltimore, MD
- Registered: April 2, 2012
- Posts: 978
BigTree Critical Security Updates (4.1.12, 4.2.6, manual 4.0.x)
A critical security bug was disclosed privately to the BigTree team that can expose your database configuration file to public viewing. It can also potentially be used to view other world-readable files on the server hosting BigTree. BigTree 4.1.12 and 4.2.6 include a fix for this vulnerability in their /core/launch.php files, however, older versions of BigTree 4.1 and all versions of 4.0.x did not use launch.php and instead have /site/index.php written by the installer to include routing logic.
If your /site/index.php file is not just 4 or 5 lines including /core/launch.php you must manually apply the following patch:
// Prevent path manipulations
$bigtree["path"] = array_filter($bigtree["path"],function($val) {
if ($val == "..") {
die();
}
return true;
});This patch should be applied immediately after the following line in /site/index.php:
$path = $bigtree["path"]; // Backwards compatibilityIf your /site/index.php uses launch.php, it is recommended that you update immediately to 4.1.12 or 4.2.6!
Offline