phpmyvisites-xss.txt
Posted on 13 February 2007
Multiple vulnerabilities in phpMyVisites Application : phpMyVisites prior to 2.2 stable Release Date : 11 February 2007 Author : Nicob <nicob at nicob.net> Abstract : ========== Several vulnerabilities were identified in phpMyVisites. This software is "a free and powerful open source (GNU/GPL) software for websites statistics and audience measurements" : http://www.phpmyvisites.net/ Impacted versions : =================== Versions 2.2 stable (released on November 10, 2006) and newer are not impacted by these vulnerabilities. Notes : ======= - only one PHP file (phpmyvisites.php) need to be remotely accessed by visitors. A paranoid installation will allow remote access only to this file (for example via htaccess). So my brief code audit focused on this very file. - external libraries (smarty, phpMailer, PEAR, ...) are embedded in any phpMyVisites install. Some vulnerabilities in these libraries were patched in version 2.2 stable too. Vulnerabilities : ================= - "HTTP Response Splitting" via the "url" parameter (triggered when the "pagename" parameter begins by "FILE:") - "Cross Site Scripting" in function GetCurrentCompletePath() : http://your_site/your_dir/phpmyvistes.php/AAA/B<script>alert(document.location)</script>B/CCC - "Local file include" via the "pmv_ck_view" cookie parameter. Part of this cookie is used to construct a file path, which is then used in a require() call : if( !isset($this->file) || !strpos( $this->file, 'utf-8.php') || strpos( $this->file, '..') ) { $this->file = $this->getNearestLang(); } require LANGS_PATH . "/" . $this->file; In this code, the third check is "FALSE" if the strpos() call returns "FALSE" _or_ "0". So "../../../../../tmp/utf-8.php" would be accepted. Nicob