Re: OpenPinboard <= Remote File Include

["Steven M. Christey" <coley () mitre org>]

Remote file inclusion does not seem possible - the only relevant
code is this:

  require_once("languages/$language.php");

Since the "languages/" string will always appear first, you can't
inject an "http://"; or similar to the front of the string, so remote
file inclusion is not possible.

OK, so we need to consider directory traversal sequences a la ".." for
local file inclusion.

It appears that directory traversal might be exploitable before
product installation is complete.

Before the require_once statement, we have:

  if (file_get_contents("locked")!="locked") header("location: install.php");
  require_once("config.php");

As has been observed by various people, merely printing a Location
header will not prevent execution of the rest of the application.  So,
the require_once() will always be executed.

In 2.0 and 2.0.1, config.php is empty - at least until the admin has
finished installation using install.php.

So, before installation is complete, $language (and other variables)
are not set to any values.  Assuming register_globals is enabled,
there is a small time window during which the attacker might insert
".." (and probably "%00"?) into the $language parameter to include
local files.

After the admin has properly run install.php, $language is inserted
into config.php, preventing this particular exploit.

Unfortunately, during the post-disclosure analysis of install.php, I
might have found a serious issue involving code execution but not RFI.
I will privately work with the developer to address the problem, then
follow up to the list.

- Steve