Fork me on GitHub
Subscribe 1

Ticket #1006 (fixed bug)

[HTB23246] File Inclusion in install.php

  • Created: 2015-01-02 18:20:51
  • Reported by: Franz
  • Assigned to: Franz
  • Milestone: 1.5.8
  • Component: security
  • Priority: highest

High-Tech Bridge Security Research Lab discovered vulnerability in FluxBB, which can be exploited to compromise vulnerable system.


1) Local PHP File Inclusion in FluxBB

The vulnerability exists due to absence of filtration of the "install_lang" HTTP GET parameter before including PHP files using the "require()" PHP function in "/install.php" script. The installation script "/install.php" remains on the system after installation by default and is accessible to anonymous users. A remote attacker can include and execute arbitrary "install.php" file from any directory on the server using directory traversal (e.g. "../") sequences. This may result in arbitrary PHP code execution and full system compromise.

A simple PoC below will include and execute "/tmp/install.php" script:

http://fluxbb/install.php?install_lang=../../../../../tmp/

Successful exploitation requires that attacker is able to plant a malicious "install.php" file on the system.

History

Franz 2015-01-02 18:28:27

From what I see, this is easy to fix and also not easy to exploit (given no other file upload vulnerability).

I will fix this right before the release of v1.5.8.

In v1.3, we used to have a notice for admins suggesting to remove install.php once the installation was complete. Maybe we should add something similar on the admin index page? (Possibly along with a text suggesting to do so right after successful installation.)

Franz 2015-01-06 10:59:22

Patch suggested by Quy:

// Make sure we got a valid language string
$install_lang = preg_replace('%[\.\\\/]%', '', $install_lang);

Franz 2015-01-18 14:53:24

Commit 6a1f2ed to fluxbb master

#1006: Sanitize installation language parameter.

Franz 2015-01-18 14:55:32

  • Status changed from open to fixed.

I pushed the fix to the master branch. The official release will follow in the next couple days.

Franz 2015-01-23 00:30:24

  • Visibility set to public.

Visman 2015-01-28 14:55:31

This fix was not included in version 1.5.8 О_о

Franz 2015-01-28 15:38:43

Darn. Very, very strange. I had accidentally pushed a wrong commit at first.

I guess our local tag was not updated.

Franz 2015-01-28 15:44:25

Fixed now. Thanks for catching this, that stinks!