Affected Software: PivotX (http://pivotx.net/)
Affected Version: 2.3.10 (probably also prior versions)
Patched Version: 2.3.11
Risk: Medium-High
Session Fixation
================
Risk
----
Medium; If victim clicks link and logs in, then an attacker can log in
as the victim
POC
---
1. Send victim to:
http://localhost/pivotx_
2. Victim logs in
3. Attacker sets PHPSESSID=123 and is now logged in as well
File Upload: Code Execution
===========================
Risk
----
Medium; attacker can upload PHP files and thus gain code execution
Description
-----------
It is possible to bypass the check for disallowed file extensions with
a filename like foo.php.php, which will be renamed to foo.php_.php,
leading to code execution.
Reflected XSS
=============
Risk
----
Medium; arbitrary JavaScript execution
POC
---
PHP_SELF is user supplied, and thus should not be considered
secure. It seems that most or all forms are affected by this.
http://localhost/pivotx_
http://localhost/pivotx_
http://localhost/pivotx_
[... etc ...]
Timeline
========
2015-05-27: Initial Report
2015-05-27: Vendor Confirmation
2015-06-05: Asking for Progress Update (no reply)
2015-06-14: Setting Disclose Date
2015-06-15: Vendor Confirmation
2015-06-17: Vendor Send Fix, Asking for Confirmation
2015-06-17: Confirmed Fix
2015-06-21: Vendor Releases Fix
2015-06-27: Disclosure
Source
======
http://software-talk.org/blog/
Komentarų nėra:
Rašyti komentarą