phpmynuke css and phpinfo() vuls

From: Mindwarper (loggerat_private)
Date: Sun Jan 05 2003 - 03:29:59 PST

Next message: nmsh_saat_private: "A security vulnerability in S8Forum"

Previous message: Steven Tucker: "Re: Opentype font file causes Windows to restart."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

myphpnuke version 1.8.8_final_7 and prior that contain sysinfo are
vulnerable to both css attack and phpinfo() Disclosure. The problem is that
unlike the rest of the scripts under /admin/, sysinfo's footer script
called system_footer.php does not check who the user is. 
Inside system_footer.php the following code is run:
echo "<br>";
 phpinfo();
 echo "<br>";

Thus showing any remote user sensitive data about the server.

-

Another problem in myphpnuke is the unchecked template includes.

Examples:

http://victim/html/partner.php?mainfile=anything&Default_Theme='<script>aler
t(document.cookie);</script>

http://victim/html/chatheader.php?mainfile=anything&Default_Theme='<script>a
lert(document.cookie);</script>

...and a couple more of these exist.

- Mindwarper
-- loggerat_private

_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com
Looking for friendships,romance and more?
http://www.MyOwnFriends.com

Next message: nmsh_saat_private: "A security vulnerability in S8Forum"
Previous message: Steven Tucker: "Re: Opentype font file causes Windows to restart."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 06 2003 - 20:37:53 PST