Vulnerability: Session Fixation, Reflected XSS, Code Execution Affected Software: PivotX (http://pivotx.net/) Affected Version: 2.3.10 (probably also prior versions) Patched Version: 2.3.11 Risk: Medium-High Session Fixation ================ Risk ---- Medium; If victim clicks link and logs in, then an attacker can log in as the victim POC --- 1. Send victim to: http://localhost/pivotx_latest/pivotx/fileupload.php?sess=123 2. Victim logs in 3. Attacker sets PHPSESSID=123 and is now logged in as well File Upload: Code Execution =========================== Risk ---- Medium; attacker can upload PHP files and thus gain code execution Description ----------- It is possible to bypass the check for disallowed file extensions with a filename like foo.php.php, which will be renamed to foo.php_.php, leading to code execution. Reflected XSS ============= Risk ---- Medium; arbitrary JavaScript execution POC --- PHP_SELF is user supplied, and thus should not be considered secure. It seems that most or all forms are affected by this. http://localhost/pivotx_latest/pivotx/index.php/";><script>alert('xsstest')</script></script>?page=page&uid=3 http://localhost/pivotx_latest/pivotx/index.php/";><script>alert('xsstest')</script></script>?page=templates http://localhost/pivotx_latest/pivotx/index.php/";><script>alert('xsstest')</script></script>?page=fileexplore [... etc ...] Timeline ======== 2015-05-27: Initial Report 2015-05-27: Vendor Confirmation 2015-06-05: Asking for Progress Update (no reply) 2015-06-14: Setting Disclose Date 2015-06-15: Vendor Confirmation 2015-06-17: Vendor Send Fix, Asking for Confirmation 2015-06-17: Confirmed Fix 2015-06-21: Vendor Releases Fix 2015-06-27: Disclosure Source ====== http://software-talk.org/blog/2015/06/session-fixation-xss-code-execution-vulnerability-pivotx/
