PrivateBin Local File Inclusion Vulnerability in Template Switching Feature

A local file inclusion vulnerability has been identified in PrivateBin versions 1.7.7 prior to 2.0.3. The issue arises in the template-switching feature when 'templateselection' is enabled. The server trusts the 'template' cookie and includes the specified PHP file. This vulnerability allows an attacker to read sensitive data or, if they can upload a PHP file, execute remote code. While the vulnerability does not affect PrivateBin's project files due to a default protection mechanism, it could be exploited under certain conditions, such as accessing unprotected configuration files or specific PHP scripts that lack proper privilege checks.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data or arbitrary file inclusion, with the potential for remote code execution if certain conditions are met.

Reproduction

To reproduce this vulnerability, enable 'templateselection' in the PrivateBin configuration file 'cfg/conf.php'. Then, send a request with a 'template' cookie that points to a PHP file without its extension, using a relative path from the 'tpl' directory. The server will include the specified file, potentially leading to unauthorized data access or code execution.

Remediation

Users can update to PrivateBin version 2.0.3, where this vulnerability has been patched. Alternatively, 'templateselection' can be disabled in the configuration file 'cfg/conf.php'.