Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File Inclusion Attack - Possible RCE #433

Closed
Shinkurt opened this issue Dec 18, 2016 · 4 comments
Closed

File Inclusion Attack - Possible RCE #433

Shinkurt opened this issue Dec 18, 2016 · 4 comments

Comments

@Shinkurt
Copy link

Shinkurt commented Dec 18, 2016

Hello,

In bundled-libs/serendipity_generateFTPChecksums.php

640: $serendipity['dbType'] = $_POST['dbType'];
643: include_once (S9Y_INCLUDE_PATH . "include/db/{$serendipity['dbType']}.inc.php");

As you can see a user-controlled variable, $serendipity['dbType'], is being sent to an include_once() function without any sanitization call, which results in file inclusion and a remote code execution by referring to any file with php payload in older PHP versions where nullbytes (%00) are allowed.

Thanks,

@garvinhicking
Copy link
Member

Thanks a lot @Shinkurt for reporting this. If possible we appreciate security-related issues to be reported privately via email (see https://docs.s9y.org/docs/contributing/index.html) to coordinate fixes with responsible disclosure.

I have just committed a patch that sanitizes this variable for use in the installer. The RCE would only be usable upon first time installation, so this mitigates the risk a lot at least. :-)

The commit is here: bba6a84

@Xyntax
Copy link

Xyntax commented Dec 19, 2016

Is it really a security issue? Could you show me some confirmed vulns like this "first-time-installation exploit”? @Shinkurt
Thanks a lot.

@garvinhicking
Copy link
Member

On first installation in the advanced installer you can choose a database type (by default we would use mysqli on non-advanced install). That database type is a . You could use DevTools/Firebug to make that select for 'dbType' point to a specific PHP file (or issue the HTTP post request from outside). This means you would need the ability to upload malicious local PHP files in first instance (i.e. by uploading a JPG with PHP code), so that you can include them. You would need a specific variable termination to be able to pass that properly (that's what the %00 referred to)...

@Shinkurt
Copy link
Author

Shinkurt commented Dec 19, 2016

@garvinhicking thanks use CVE-2016-10082 for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants