Vanilla Forums 2.0.18.5 Local File Inclusion

`-------------------------------------------------------------------------------------------  
Vanilla Forums <= 2.0.18.5 (class.utilitycontroller.php) PHP Object   
Injection Vulnerability  
-------------------------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
http://vanillaforums.org/  
  
  
[-] Affected Versions:  
  
All versions from 2.0 to 2.0.18.5.  
  
  
[-] Vulnerability Description:  
  
The vulnerable code is located in   
/applications/dashboard/controllers/class.utilitycontroller.php:  
  
316. // Get the message, response, and transientkey  
317. $Messages = TrueStripSlashes(GetValue('Messages', $_POST));  
318. $Response = TrueStripSlashes(GetValue('Response', $_POST));  
319. $TransientKey = GetIncomingValue('TransientKey', '');  
320.   
321. // If the key validates  
322. $Session = Gdn::Session();  
323. if ($Session->ValidateTransientKey($TransientKey)) {  
324. // If messages wasn't empty  
325. if ($Messages != '') {  
326. // Unserialize them & save them if necessary  
327. $Messages = Gdn_Format::Unserialize($Messages);  
  
[...]  
  
358. // If the response wasn't empty, save it in the config  
359. if ($Response != '')  
360. $Save['Garden.RequiredUpdates'] =   
Gdn_Format::Unserialize($Response);  
  
User input passed through the "Messages" and "Response" POST parameters   
is not properly sanitized  
before being used in a call to the "Gdn_Format::Unserialize" method at   
lines 327 and 360. This can  
be exploited to inject arbitrary PHP objects into the application scope,   
that could allow an attacker  
to conduct Local File Inclusion attacks by abusing the   
"Gdn_Module::__toString" method, which triggers  
a call to the "Gdn_Module::FetchView" method:  
  
111. public function FetchView() {  
112. $ViewPath = $this->FetchViewLocation();  
113. $String = '';  
114. ob_start();  
115. if(is_object($this->_Sender) && isset($this->_Sender->Data)) {  
116. $Data = $this->_Sender->Data;  
117. } else {  
118. $Data = array();  
119. }  
120. include ($ViewPath);  
  
The value returned by the "Gdn_Module::FetchViewLocation" method at line   
112 can be controlled by the  
"_ApplicationFolder" object's property, which results in an arbitrary   
local file inclusion at line 120.  
Successful exploitation of the vulnerability using this vector requires   
the application running on  
PHP < 5.3.4, because it needs a null-byte injection attack. However,   
other attack vectors might  
be possible, e.g. leveraging magic methods of classes defined in   
third-party components.  
  
  
[-] Solution:  
  
Update to version 2.0.18.6 or higher.  
  
  
[-] Disclosure Timeline:  
  
[02/03/2013] - Vendor notified  
[22/03/2013] - Version 2.0.18.6 released: http://git.io/7EXdpQ  
[10/05/2013] - CVE number assigned  
[07/10/2013] - Public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2013-3528 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2013-09  
`