Ticket #1006 (fixed bug)
[HTB23246] File Inclusion in install.php
- Created: 2015-01-02 18:20:51
- Reported by: Franz
- Assigned to: Franz
- Milestone: 1.5.8
- Component: security
- Priority: highest
High-Tech Bridge Security Research Lab discovered vulnerability in FluxBB, which can be exploited to compromise vulnerable system.
1) Local PHP File Inclusion in FluxBB
The vulnerability exists due to absence of filtration of the "install_lang" HTTP GET parameter before including PHP files using the "require()" PHP function in "/install.php" script. The installation script "/install.php" remains on the system after installation by default and is accessible to anonymous users. A remote attacker can include and execute arbitrary "install.php" file from any directory on the server using directory traversal (e.g. "../") sequences. This may result in arbitrary PHP code execution and full system compromise.
A simple PoC below will include and execute "/tmp/install.php" script:
http://fluxbb/install.php?install_lang=../../../../../tmp/
Successful exploitation requires that attacker is able to plant a malicious "install.php" file on the system.
History
Franz 2015-01-02 18:28:27

From what I see, this is easy to fix and also not easy to exploit (given no other file upload vulnerability).
I will fix this right before the release of v1.5.8.
In v1.3, we used to have a notice for admins suggesting to remove install.php once the installation was complete. Maybe we should add something similar on the admin index page? (Possibly along with a text suggesting to do so right after successful installation.)
Franz 2015-01-06 10:59:22

Patch suggested by Quy:
// Make sure we got a valid language string
$install_lang = preg_replace('%[\.\\\/]%', '', $install_lang);
Franz 2015-01-18 14:55:32

- Status changed from open to fixed.
I pushed the fix to the master branch. The official release will follow in the next couple days.
Visman 2015-01-28 15:25:24

This change is not in the archive there https://fluxbb.org/download/releases/1. … -1.5.8.zip
And in https://fluxbb.org/download/releases/1. … 1.5.7.html too.
Franz 2015-01-28 15:38:43

Darn. Very, very strange. I had accidentally pushed a wrong commit at first.
I guess our local tag was not updated.