In the Piwik with the Open Flash Chart Module has been discovered a vulnerability which can be exploited by malicious people to compromise a vulnerable system. The vulnerability exists in Piwik’s implementation of “open-flash-chart”, a module which resides in the “./libs/open-flash-chart/php-ofc-library” directory.
Piwik is an open source web analytics software with open sources and GPL licensed. It provides interesting reports on our website visitors, our popular pages, the search engines keywords they used, the language they speak‚ and so much more, as well as Google Analytics. It gives us real time reports with detail and all features are built inside plugins, so we can add new feature and remove it very easy.
The vulnerable code forces Piwik to create a directory called “./libs/open-flash-chart/tmp-upload-images” which in turn creates a file which is able to hold PHP code. This issue is caused by input validation errors in the “libs/open-flash-chart/php-ofc-library/ofc_upload_image.php” script when processing the “name” parameter, which could be exploited by remote attackers to create malicious PHP scripts on a vulnerable system and execute arbitrary commands with the privileges of the web server. This code however does not function correctly if global variables are unable to be overwritten.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
<?php /* this default path for temporary file when we will upload image file */ $default_path = '../tmp-upload-images/'; /* Check if $default_path variable is exist */ if (!file_exists($default_path)) /* If true, make directory with full permission */ mkdir($default_path, 0777, true); /* then, create file in the directory above with name of file from form input "name" */ /* this variable isnot sanitised before use */ $destination = $default_path . basename( $_GET[ 'name' ] ); echo 'Saving your image to: '. $destination; /* malicious code is right here and an attacker can execute this code */ $jfh = fopen($destination, 'w') or die("can't open file"); fwrite($jfh, $HTTP_RAW_POST_DATA); fclose($jfh); ?>
An attacker can exploit this hole to compromise a vulnerable system, with concept :
So, how to fix this vulnerability ..? Restrict access to the “/libs/open-flash-chart/php-ofc-library” directory (e.g. via an “.htaccess” file). We also edit source code of Piwik in the Open Flash Chart library, see detail code above. The vulnerable file may be omitted from various implementations of the Open Flash Chart library.