Multiple vulnerabilities in phpMyVisites

Application : phpMyVisites prior to 2.2 stable
Release Date : 11 February 2007
Author : Nicob <nicob at nicob.net>

Abstract :

Several vulnerabilities were identified in phpMyVisites. This software
is "a free and powerful open source (GNU/GPL) software for websites
statistics and audience measurements" : http://www.phpmyvisites.net/

Impacted versions :

Versions 2.2 stable (released on November 10, 2006) and newer are not
impacted by these vulnerabilities.

Notes :

• only one PHP file (phpmyvisites.php) need to be remotely accessed by
  visitors. A paranoid installation will allow remote access only to this
  file (for example via htaccess). So my brief code audit focused on this
  very file.

• external libraries (smarty, phpMailer, PEAR, …) are embedded in any
  phpMyVisites install. Some vulnerabilities in these libraries were
  patched in version 2.2 stable too.

Vulnerabilities :

• "HTTP Response Splitting" via the "url" parameter (triggered when the
  "pagename" parameter begins by "FILE:")

• "Cross Site Scripting" in function GetCurrentCompletePath() :

http://your_site/your_dir/phpmyvistes.php/AAA/B<script>alert(document.location)</script>B/CCC

• "Local file include" via the "pmv_ck_view" cookie parameter. Part of
  this cookie is used to construct a file path, which is then used in a
  require() call :

    if( !isset($this->file)
           || !strpos( $this->file, 'utf-8.php')
           || strpos( $this->file, '..') )
    {
            $this->file = $this->getNearestLang();
    }
    require LANGS_PATH . "/" . $this->file; 
  

In this code, the third check is "FALSE" if the strpos() call returns
"FALSE" or "0". So "…/…/…/…/…/tmp/utf-8.php" would be accepted.

Nicob

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/