phpmyvisites-xss.txt

`  
Multiple vulnerabilities in phpMyVisites  
  
  
Application : phpMyVisites prior to 2.2 stable  
Release Date : 11 February 2007  
Author : Nicob <nicob at nicob.net>  
  
Abstract :  
==========  
  
Several vulnerabilities were identified in phpMyVisites. This software  
is "a free and powerful open source (GNU/GPL) software for websites  
statistics and audience measurements" : http://www.phpmyvisites.net/  
  
Impacted versions :  
===================  
  
Versions 2.2 stable (released on November 10, 2006) and newer are not  
impacted by these vulnerabilities.  
  
Notes :  
=======  
  
- only one PHP file (phpmyvisites.php) need to be remotely accessed by  
visitors. A paranoid installation will allow remote access only to this  
file (for example via htaccess). So my brief code audit focused on this  
very file.  
  
- external libraries (smarty, phpMailer, PEAR, ...) are embedded in any  
phpMyVisites install. Some vulnerabilities in these libraries were  
patched in version 2.2 stable too.  
  
Vulnerabilities :  
=================  
  
- "HTTP Response Splitting" via the "url" parameter (triggered when the  
"pagename" parameter begins by "FILE:")  
  
- "Cross Site Scripting" in function GetCurrentCompletePath() :  
  
http://your_site/your_dir/phpmyvistes.php/AAA/B<script>alert(document.location)</script>B/CCC  
  
- "Local file include" via the "pmv_ck_view" cookie parameter. Part of  
this cookie is used to construct a file path, which is then used in a  
require() call :  
  
if( !isset($this->file)  
|| !strpos( $this->file, 'utf-8.php')  
|| strpos( $this->file, '..') )  
{  
$this->file = $this->getNearestLang();  
}  
require LANGS_PATH . "/" . $this->file;   
  
In this code, the third check is "FALSE" if the strpos() call returns  
"FALSE" _or_ "0". So "../../../../../tmp/utf-8.php" would be accepted.  
  
  
Nicob  
  
`