[VIM] uh-oh: local file inclusion from insecure permissions

[Steven M. Christey]

Ref: CONFIRM:http://www.torrenttrader.org/index.php?showtopic=5843

(CVE pending)

The ACK says "We have been made aware of a hole in the script that can
be exploited. Please CHMOD your .txt files in the root back to 644 to
disable write access (you can edit them via FTP still) ...
disclaimer.txt ... sponsors.txt ... banners.txt ... we are working to
address this issue ...."

Source inspection of 1.07, as downloaded on 20070824, shows that these
files have 640 permissions, at least as extracted from the tarball.

So, we were asking ourselves... why is modifying these files a
security issue, and what's the attack vector?  Maybe local symlink
following, but then I'd think they'd say change the directory
permissions too.

Ah, grep, you wondrous workhorse of post-disclosure analysis:

>  grep banners.txt *.php

  admin.php:      include("banners.txt");
  ....
  check.php:$banners = chmod($_SERVER['DOCUMENT_ROOT'] . "/banners.txt", 0666);
  check.php:      if(!$banners){ echo "banners.txt - Error setting
       permissions<br>"; } else { echo "banners.txt - Success! CHMOD
       CHANGED<br>"; }
  check.php:If you see "Unwriteable" you need to change the permissions
       on the file or directory to 777 or 666 so that  TorrentTrader to write
       to it.


So... a text file is given world-writable permissions, but it's used
in an include statement.  So, at least, we have a locally exploitable
"file inclusion" issue thanks to insecure permissions.

We see similar things for sponsors.txt and disclaimer.txt, but grep
also yields this tidbit:

  index.php:echo file_get_contents("disclaimer.txt") ;

So, this is a way to do local "file inclusion" for any visitor to the
site.

I didn't investigate whether there were remote attack vectors.

I bet there's a TON of these kinds of "writable-LFI" issues out
there...

- Steve