Join GitHub today
File Inclusion Attack - Possible RCE #433
640: $serendipity['dbType'] = $_POST['dbType'];
As you can see a user-controlled variable, $serendipity['dbType'], is being sent to an include_once() function without any sanitization call, which results in file inclusion and a remote code execution by referring to any file with php payload in older PHP versions where nullbytes (%00) are allowed.
Thanks a lot @Shinkurt for reporting this. If possible we appreciate security-related issues to be reported privately via email (see https://docs.s9y.org/docs/contributing/index.html) to coordinate fixes with responsible disclosure.
I have just committed a patch that sanitizes this variable for use in the installer. The RCE would only be usable upon first time installation, so this mitigates the risk a lot at least. :-)
The commit is here: bba6a84
On first installation in the advanced installer you can choose a database type (by default we would use mysqli on non-advanced install). That database type is a . You could use DevTools/Firebug to make that select for 'dbType' point to a specific PHP file (or issue the HTTP post request from outside). This means you would need the ability to upload malicious local PHP files in first instance (i.e. by uploading a JPG with PHP code), so that you can include them. You would need a specific variable termination to be able to pass that properly (that's what the %00 referred to)...