Bugtraq mailing list archives
Re: OpenPinboard <= Remote File Include
From: "Steven M. Christey" <coley () mitre org>
Date: Mon, 8 Jan 2007 21:07:03 -0500 (EST)
Remote file inclusion does not seem possible - the only relevant code is this: require_once("languages/$language.php"); Since the "languages/" string will always appear first, you can't inject an "http://" or similar to the front of the string, so remote file inclusion is not possible. OK, so we need to consider directory traversal sequences a la ".." for local file inclusion. It appears that directory traversal might be exploitable before product installation is complete. Before the require_once statement, we have: if (file_get_contents("locked")!="locked") header("location: install.php"); require_once("config.php"); As has been observed by various people, merely printing a Location header will not prevent execution of the rest of the application. So, the require_once() will always be executed. In 2.0 and 2.0.1, config.php is empty - at least until the admin has finished installation using install.php. So, before installation is complete, $language (and other variables) are not set to any values. Assuming register_globals is enabled, there is a small time window during which the attacker might insert ".." (and probably "%00"?) into the $language parameter to include local files. After the admin has properly run install.php, $language is inserted into config.php, preventing this particular exploit. Unfortunately, during the post-disclosure analysis of install.php, I might have found a serious issue involving code execution but not RFI. I will privately work with the developer to address the problem, then follow up to the list. - Steve
Current thread:
- OpenPinboard <= Remote File Include zooz_998 (Jan 03)
- Re: OpenPinboard <= Remote File Include Stefano Zanero (Jan 03)
- <Possible follow-ups>
- Re: OpenPinboard <= Remote File Include jgraef (Jan 08)
- Re: OpenPinboard <= Remote File Include Steven M. Christey (Jan 09)