PivotX 2.3.11 Shell Upload

2016-03-18T00:00:00
ID PACKETSTORM:136285
Type packetstorm
Reporter Tim Coen
Modified 2016-03-18T00:00:00

Description

                                        
                                            `Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: PivotX 2.3.11  
Fixed in: not fixed  
Fixed Version Link: n/a  
Vendor Website: http://pivotx.net/  
Vulnerability Type: Code Execution  
Remote Exploitable: Yes  
Reported to vendor: 01/20/2016  
Disclosed to public: 03/15/2016  
Release mode: Full Disclosure  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is  
vulnerable to code execution by authenticated users because it does not check  
the extension of files when renaming them.  
  
3. Details  
  
Description  
  
CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C  
  
The file upload functionality checks file extensions when uploading files to  
prevent the uploading of malicious files such as PHP files. However, the rename  
function does not check the extension of the new filename, leading to code  
execution.  
  
An account in the advanced users, admins, or superadmins role is required to  
upload files.  
  
Proof of Concept  
  
1. Upload an image file containing PHP code with a valid extension such as png  
2. rename it so it has a PHP extension: http://localhost/pivotx_latest/pivotx/  
index.php?page=media&file=imageshell.png&pivotxsession=ovyyn4ob2jc5ym92&answer=  
shell.php  
  
4. Solution  
  
This issue was not fixed by the vendor.  
  
5. Report Timeline  
  
01/20/2016 Informed Vendor about Issue  
01/29/2016 Vendor replies, PivotX is not maintained anymore  
03/15/2016 Disclosed to public  
  
  
Blog Reference:  
https://blog.curesec.com/article/blog/PivotX-2311-Code-Execution-153.html  
  
--  
blog: https://blog.curesec.com  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Romain-Rolland-Str 14-24  
13089 Berlin, Germany  
  
  
`