pChart 2.1.3 – Multiple Vulnerabilities

• Exploit Database
• 10 阅读

• 作者： Balazs Makany
  日期： 2014-01-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/31173/

• # Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS
  # Date: 2014-01-24
  # Exploit Author: Balazs Makany
  # Vendor Homepage: www.pchart.net
  # Software Link: www.pchart.net/download
  # Google Dork: intitle:"pChart 2.x - examples" intext:"2.1.3"
  # Version: 2.1.3
  # Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
  # CVE : N/A
  
  [0] Summary:
  PHP library pChart 2.1.3 (and possibly previous versions) by default
  contains an examples folder, where the application is vulnerable to
  Directory Traversal and Cross-Site Scripting (XSS).
  It is plausible that custom built production code contains similar
  problems if the usage of the library was copied from the examples.
  The exploit author engaged the vendor before publicly disclosing the
  vulnerability and consequently the vendor released an official fix
  before the vulnerability was published.
  
  
  [1] Directory Traversal:
  "hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd"
  The traversal is executed with the web server's privilege and leads to
  sensitive file disclosure (passwd, siteconf.inc.php or similar),
  access to source codes, hardcoded passwords or other high impact
  consequences, depending on the web server's configuration.
  This problem may exists in the production code if the example code was
  copied into the production environment.
  
  Directory Traversal remediation:
  1) Update to the latest version of the software.
  2) Remove public access to the examples folder where applicable.
  3) Use a Web Application Firewall or similar technology to filter
  malicious input attempts.
  
  
  [2] Cross-Site Scripting (XSS):
  "hxxp://localhost/examples/sandbox/script/session.php?<script>alert('XSS')</script>
  This file uses multiple variables throughout the session, and most of
  them are vulnerable to XSS attacks. Certain parameters are persistent
  throughout the session and therefore persists until the user session
  is active. The parameters are unfiltered.
  
  Cross-Site Scripting remediation:
  1) Update to the latest version of the software.
  2) Remove public access to the examples folder where applicable.
  3) Use a Web Application Firewall or similar technology to filter
  malicious input attempts.
  
  
  [3] Disclosure timeline:
  2014 January 16 - Vulnerability confirmed, vendor contacted
  2014 January 17 - Vendor replied, responsible disclosure was orchestrated
  2014 January 24 - Vendor was inquired about progress, vendor replied
  and noted that the official patch is released.