lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 11 Feb 2007 12:25:10 +0100
From: Nicob <nicob@...ob.net>
To: vulnwatch@...nwatch.org, bugtraq@...urityfocus.com,
	full-disclosure@...ts.grok.org.uk
Subject: Multiple vulnerabilities in phpMyVisites


	Multiple vulnerabilities in phpMyVisites


Application : phpMyVisites prior to 2.2 stable
Release Date : 11 February 2007
Author : Nicob <nicob at nicob.net>

Abstract :
==========

Several vulnerabilities were identified in phpMyVisites. This software
is "a free and powerful open source (GNU/GPL) software for websites
statistics and audience measurements" : http://www.phpmyvisites.net/

Impacted versions :
===================

Versions 2.2 stable (released on November 10, 2006) and newer are not
impacted by these vulnerabilities.

Notes :
=======

- only one PHP file (phpmyvisites.php) need to be remotely accessed by
visitors. A paranoid installation will allow remote access only to this
file (for example via htaccess). So my brief code audit focused on this
very file.

- external libraries (smarty, phpMailer, PEAR, ...) are embedded in any
phpMyVisites install. Some vulnerabilities in these libraries were
patched in version 2.2 stable too.

Vulnerabilities :
=================

- "HTTP Response Splitting" via the "url" parameter (triggered when the
"pagename" parameter begins by "FILE:")

- "Cross Site Scripting" in function GetCurrentCompletePath() :

http://your_site/your_dir/phpmyvistes.php/AAA/B<script>alert(document.location)</script>B/CCC

- "Local file include" via the "pmv_ck_view" cookie parameter. Part of
this cookie is used to construct a file path, which is then used in a
require() call :

        if( !isset($this->file)
               || !strpos( $this->file, 'utf-8.php')
               || strpos( $this->file, '..') )
        {
                $this->file = $this->getNearestLang();
        }
        require LANGS_PATH . "/" . $this->file; 

In this code, the third check is "FALSE" if the strpos() call returns
"FALSE" _or_ "0". So "../../../../../tmp/utf-8.php" would be accepted.


Nicob

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ