Multiple vulnerabilities in phpMyVisites
Application : phpMyVisites prior to 2.2 stable
Release Date : 11 February 2007
Author : Nicob <nicob at nicob.net>
Several vulnerabilities were identified in phpMyVisites. This software
is "a free and powerful open source (GNU/GPL) software for websites
statistics and audience measurements" : http://www.phpmyvisites.net/
Versions 2.2 stable (released on November 10, 2006) and newer are not
impacted by these vulnerabilities.
only one PHP file (phpmyvisites.php) need to be remotely accessed by
visitors. A paranoid installation will allow remote access only to this
file (for example via htaccess). So my brief code audit focused on this
very file.
external libraries (smarty, phpMailer, PEAR, …) are embedded in any
phpMyVisites install. Some vulnerabilities in these libraries were
patched in version 2.2 stable too.
"HTTP Response Splitting" via the "url" parameter (triggered when the
"pagename" parameter begins by "FILE:")
"Cross Site Scripting" in function GetCurrentCompletePath() :
http://your_site/your_dir/phpmyvistes.php/AAA/B<script>alert(document.location)</script>B/CCC
"Local file include" via the "pmv_ck_view" cookie parameter. Part of
this cookie is used to construct a file path, which is then used in a
require() call :
if( !isset($this->file)
|| !strpos( $this->file, 'utf-8.php')
|| strpos( $this->file, '..') )
{
$this->file = $this->getNearestLang();
}
require LANGS_PATH . "/" . $this->file;
In this code, the third check is "FALSE" if the strpos() call returns
"FALSE" or "0". So "…/…/…/…/…/tmp/utf-8.php" would be accepted.
Nicob
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/