I have just checked 5 different 6.5 installs some of which have been upgraded from previous 6.5 beta's and this file most definattly does not exist under 6.5 adminat_private wrote: >In-Reply-To: <20030326022821.48e4e54f.negativeat_private> > > > >>From: Jim Geovedi <negativeat_private> >>To: bugtraqat_private >>Subject: Re: PHPNuke viewpage.php allows Remote File retrieving >>Message-Id: <20030326022821.48e4e54f.negativeat_private> >>In-Reply-To: <3E8098FE.3070808@war-ensemble.com> >>References: <20030325163207.13063.qmailat_private> >> <3E8098FE.3070808@war-ensemble.com> >>Organization: Will Work For Bandwidth, Inc. >>X-Mailer: Superunknown. >>Mime-Version: 1.0 >>Content-Type: text/plain; charset=US-ASCII >>Content-Transfer-Encoding: 7bit >> >>On Tue, 25 Mar 2003 11:59:26 -0600 DaiTengu wrote: >> >> >>>>viewpage.php is a part of PHPNuke. >>>>The Script allows an attacker to view all files on the System. >>>> >>>>Example: >>>> >>>>http://server.com/viewpage.php?file=/etc/passwd >>>> >>>> >>>umm, what version of phpNuke is vulnerable to this? as far as I'm >>>aware, there has not been any viewpage.php since before 5.0... >>> >>>I beleive this was reported then as well. >>>reguardless, this is not true with 6.0 >>> >>> >>it's repeatable on PHP-Nuke 6.5. >> >>-- >> Jim Geovedi <negativeat_private> >> >> >> > I have the vanilla 6.5 and there is no viewpage.php file in the package >that I can find. Are you sure that this isn't in an addon? Or possibly >left over from a previous version that was never cleared out when phpnuke >was updated? > > >
This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 16:14:09 PST