Local File Inclusion vulnerabilities

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Visit http://yoursite.com/?a=../../../../../../../../../etc/passwd%00

What is the expected output? What do you see instead?

Expected: Either a 404, or a transparent redirection to the home page
Result: Your /etc/passwd contents is displayed.

What version of the board are you using? e.g. 3.2.3 or 4.0 revision
Latest - 4.0.4

What version of PHP and MySQL does the board run on?

Irrelevant, but to use the above example specifically (null byte issues - 
http://php.net/manual/en/security.filesystem.nullbytes.php) use less than 5.3.4.

Please provide any additional information below.

From a quick glance, it looks like it's not just the index.php page issues that 
might have this bug, but luckily, a lot of the common/* files do some regex 
checks to make sure the things they include have no special characters.
Obviously, anyone running on PHP < 5.3.4 is in a horrible high risk position as 
anyone could include /proc/self/environ and get code exec (depending on 
operating system defences), or log files etc.
If SQLi were to also be found also, anyone could select into outfile to the 
cache directory and get code exec > 5.3.4 also.

Original issue reported on code.google.com by twocrazy...@gmail.com on 28 Nov 2012 at 1:28

[GoogleCodeExporter]

Works as expected on my site. Does a transparent redirection to the homepage.

Original comment by hgloc...@gmail.com on 18 Dec 2012 at 7:06

[GoogleCodeExporter]

That will happen if you have suhosin/newer PHP if you try use my example, as 
noted in the description. Regardless, the bug is still there, and given the 
likelihood of at least one person running an older PHP version, this is kind of 
a critical issue. People don't like running software that gets them owned.

Original comment by twocrazy...@gmail.com on 19 Dec 2012 at 3:02

[GoogleCodeExporter]

This issue was closed by revision 68b0897f0060.

Original comment by kovellia on 22 Dec 2012 at 12:36

• Changed state: Fixed