Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File Inclusion Attack - Possible RCE #433

Closed
Shinkurt opened this issue Dec 18, 2016 · 4 comments

Comments

Projects
None yet
3 participants
@Shinkurt
Copy link

commented Dec 18, 2016

Hello,

In bundled-libs/serendipity_generateFTPChecksums.php

640: $serendipity['dbType'] = $_POST['dbType'];
643: include_once (S9Y_INCLUDE_PATH . "include/db/{$serendipity['dbType']}.inc.php");

As you can see a user-controlled variable, $serendipity['dbType'], is being sent to an include_once() function without any sanitization call, which results in file inclusion and a remote code execution by referring to any file with php payload in older PHP versions where nullbytes (%00) are allowed.

Thanks,

@garvinhicking

This comment has been minimized.

Copy link
Member

commented Dec 19, 2016

Thanks a lot @Shinkurt for reporting this. If possible we appreciate security-related issues to be reported privately via email (see https://docs.s9y.org/docs/contributing/index.html) to coordinate fixes with responsible disclosure.

I have just committed a patch that sanitizes this variable for use in the installer. The RCE would only be usable upon first time installation, so this mitigates the risk a lot at least. :-)

The commit is here: bba6a84

@Xyntax

This comment has been minimized.

Copy link

commented Dec 19, 2016

Is it really a security issue? Could you show me some confirmed vulns like this "first-time-installation exploit”? @Shinkurt
Thanks a lot.

@garvinhicking

This comment has been minimized.

Copy link
Member

commented Dec 19, 2016

On first installation in the advanced installer you can choose a database type (by default we would use mysqli on non-advanced install). That database type is a . You could use DevTools/Firebug to make that select for 'dbType' point to a specific PHP file (or issue the HTTP post request from outside). This means you would need the ability to upload malicious local PHP files in first instance (i.e. by uploading a JPG with PHP code), so that you can include them. You would need a specific variable termination to be able to pass that properly (that's what the %00 referred to)...

@Shinkurt

This comment has been minimized.

Copy link
Author

commented Dec 19, 2016

@garvinhicking thanks use CVE-2016-10082 for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.