lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 27 Jun 2015 11:33:06 +0200
From: Tim <tc.coen@...il.com>
To: bugtraq@...urityfocus.com
Subject: Session Fixation, Reflected XSS, Code Execution in PivotX 2.3.10

Vulnerability: Session Fixation, Reflected XSS, Code Execution
Affected Software: PivotX (http://pivotx.net/)
Affected Version: 2.3.10 (probably also prior versions)
Patched Version: 2.3.11
Risk: Medium-High


Session Fixation
================

	Risk
	----

	Medium; If victim clicks link and logs in, then an attacker can log in
as the victim

	POC
	---

	1. Send victim to:
http://localhost/pivotx_latest/pivotx/fileupload.php?sess=123
	2. Victim logs in
	3. Attacker sets PHPSESSID=123 and is now logged in as well


File Upload: Code Execution
===========================

	Risk
	----

	Medium; attacker can upload PHP files and thus gain code execution

	Description
	-----------

	It is possible to bypass the check for disallowed file extensions with
a filename like foo.php.php, which will be renamed to foo.php_.php,
leading to code execution.


Reflected XSS
=============

	Risk
	----

	Medium; arbitrary JavaScript execution

	POC
	---

            PHP_SELF is user supplied, and thus should not be considered
secure. It seems that most or all forms are affected by this.

	
http://localhost/pivotx_latest/pivotx/index.php/"><script>alert('xsstest')</script></script>?page=page&uid=3
	
http://localhost/pivotx_latest/pivotx/index.php/"><script>alert('xsstest')</script></script>?page=templates
	
http://localhost/pivotx_latest/pivotx/index.php/"><script>alert('xsstest')</script></script>?page=fileexplore
		[... etc ...]

Timeline
========

2015-05-27: Initial Report
2015-05-27: Vendor Confirmation
2015-06-05: Asking for Progress Update (no reply)
2015-06-14: Setting Disclose Date
2015-06-15: Vendor Confirmation
2015-06-17: Vendor Send Fix, Asking for Confirmation
2015-06-17: Confirmed Fix
2015-06-21: Vendor Releases Fix
2015-06-27: Disclosure

Source
======

http://software-talk.org/blog/2015/06/session-fixation-xss-code-execution-vulnerability-pivotx/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ