rgod has discovered some vulnerabilities in Pivot, which can be exploited by malicious users to bypass certain security restrictions and compromise a vulnerable system, and by malicious people to conduct cross-site scripting attacks.

1) Due to improper access controls, a malicious user can upload arbitrary files with multiple extensions to the "images" directory via includes/editor/insert_image.php.

Successful exploitation may allow execution of script code depending on the HTTP server configuration (e.g. requires Apache server with the "mod_mime" module installed).

2) Input passed to various parameters in multiple scripts is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Examples:
http://[host]/pivot/includes/blogroll.php?fg=[code]
http://[host]/pivot/includes/blogroll.php?line1=[code]
http://[host]/pivot/includes/blogroll.php?line2=[code]
http://[host]/pivot/includes/blogroll.php?bg=[code]
http://[host]/pivot/includes/blogroll.php?c1=[code]
http://[host]/pivot/includes/blogroll.php?c2=[code]
http://[host]/pivot/includes/blogroll.php?c3=[code]
http://[host]/pivot/includes/blogroll.php?c4=[code]
http://[host]/pivot/includes/editor/edit_menu.php?name=[code]
http://[host]/pivot/includes/editor/edit_menu.php?js_name=[code]
http://[host]/pivot/includes/photo.php?h=[code]
http://[host]/pivot/includes/photo.php?w=[code]

Successful exploitation of the majority of the issues requires that "register_globals" is enabled.

The vulnerabilities have been confirmed in version 1.24.3 and also reported in version 1.30 RC2. Other versions may also be affected.

Solution
Reportedly fixed in version 1.30 Final.

Provided and/or discovered by
rgod

Changelog
Further details available in Customer Area

Deep Links
Links available in Customer Area