Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  Multiple vulnerabilities in Vulcan theme for WordPress + WAF bypass

  [SECURITY] [DSA 3295-1] cacti security update

  CVE-2015-3443 XSS in Thycotic Secret Server version 8.6.000000 to 8.8.000004

  ManageEngine Asset Explorer v6.1 - Persistent Vulnerability

From:Tim <tc.coen_(at)_gmail.com>
Date:5 июля 2015 г.
Subject:Session Fixation, Reflected XSS, Code Execution in PivotX 2.3.10



Vulnerability: Session Fixation, Reflected XSS, Code Execution
Affected Software: PivotX (http://pivotx.net/)
Affected Version: 2.3.10 (probably also prior versions)
Patched Version: 2.3.11
Risk: Medium-High


Session Fixation
================

Risk
----

Medium; If victim clicks link and logs in, then an attacker can log in
as the victim

POC
---

1. Send victim to:
http://localhost/pivotx_latest/pivotx/fileupload.php?sess=123
2. Victim logs in
3. Attacker sets PHPSESSID=123 and is now logged in as well


File Upload: Code Execution
===========================

Risk
----

Medium; attacker can upload PHP files and thus gain code execution

Description
-----------

It is possible to bypass the check for disallowed file extensions with
a filename like foo.php.php, which will be renamed to foo.php_.php,
leading to code execution.


Reflected XSS
=============

Risk
----

Medium; arbitrary JavaScript execution

POC
---

           PHP_SELF is user supplied, and thus should not be considered
secure. It seems that most or all forms are affected by this.


http://localhost/pivotx_latest/pivotx/index.
php/"><script>alert('xsstest')</script></s
cript>?page=page&uid=3

http://localhost/pivotx_latest/pivotx/index.
php/"><script>alert('xsstest')</script></s
cript>?page=templates

http://localhost/pivotx_latest/pivotx/index.
php/"><script>alert('xsstest')</script></s
cript>?page=fileexplore
[... etc ...]

Timeline
========

2015-05-27: Initial Report
2015-05-27: Vendor Confirmation
2015-06-05: Asking for Progress Update (no reply)
2015-06-14: Setting Disclose Date
2015-06-15: Vendor Confirmation
2015-06-17: Vendor Send Fix, Asking for Confirmation
2015-06-17: Confirmed Fix
2015-06-21: Vendor Releases Fix
2015-06-27: Disclosure

Source
======

http://software-talk.org/blog/2015/06/session-fixation-xss-code-execution-vulnera
bility-pivotx/


О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород