[23079] in bugtraq
Copying and Deleting Files Using PHP-Nuke
daemon@ATHENA.MIT.EDU (masa@magnux.com)
Thu Nov 8 20:25:07 2001
Date: Mon, 5 Nov 2001 17:19:45 -0200 (BRST)
From: <masa@magnux.com>
To: BUGTRAQ Mailing List <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0111051717300.28875-100000@ops.magnux.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: 8BIT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MASA:01-02:en - Copying and Deleting Files Using PHP-Nuke
Magnux Software Advisory - $Date: 2001/11/05 18:57:50 $
Overview
[1]PHP-Nuke is a popular web portal creation system written in [2]the
PHP language. Some PHP-Nuke versions has a security flaw that allow a
malicious user to copy and delete arbitrary files on the server
machine. If the malicious user are able to upload files to the web
server using some mechanism (e.g. anonymous FTP), he/she may be able
to copy PHP scripts to the web server document root and have then
interpreted by the scripting engine, which would allow he/she to run
commands on the machine remotely. Copying and deleting files will be
subject to the permissions of the user id the web server is running
as. However it's a common scenario to give the server write access to
PHP-Nuke directories, or at least some key files, so that site
administration can be performed using a web browser. This is explained
in details on the PHP-Nuke INSTALL file.
Detailed Description
The admin/case/case.filemanager.php script contains code to abort
execution if it is being called directly by the user, instead of being
included by the admin.php script. The code check if the string
admin.php is present anywhere on the $PHP_SELF PHP variable, as an
indication that the file is being included by the aforementioned
script. Due to [3]a bug in PHP, a malicious user may insert the
searched string on the $PHP_SELF variable and thus make the test
always pass. Together with the use of automatic PHP global variables
from query string parameters, this flaw may be exploited to direct the
script to copy and delete arbitrary files on the server file system.
For example, the following URL will exploit the flaw to copy the file
php-nuke-document-root/config.php to
/var/ftp/incoming/phpnuke-config.txt:
http://example.org/admin/case/case.filemanager.php/admin.php?op=move&
confirm=1&do=copy&basedir=&file=../../config.php&
newfile=/var/ftp/pub/incoming/phpnuke-config.txt
The next example illustrates how a malicious user can copy a
previously uploaded file (/var/ftp/pub/incoming/foobar.gif) to a PHP
script (evil.php) under the web server document root:
http://example.org/admin/case/case.filemanager.php/admin.php?op=move&
confirm=1&do=copy&basedir=&file=/var/ftp/pub/incoming/foobar.gif&
newfile=evil.php
The following URL may be used to delete the file /tmp/foo on the
server:
http://example.org/admin/case/case.filemanager.php/admin.php?op=del&
confirm=1&basedir=&file=/tmp/foo
Note: The URLs were split into separate lines for formatting
reasons only. You must join the lines together to form the final
URLs.
Impact
Remote users can copy and delete arbitrary files on the server system,
subject to web server user id restrictions.
Who is Affected
This flaw was found in PHP-Nuke 5.2. Other versions were not tested.
Note: Installations where the web server has no write access to the
web server document root are _not safe_. This vulnerability allow a
malicious user to access _any_ directory on the server file system
-- this can be used to copy sensitive system files (e.g.
/etc/passwd, web server basic authentication passwords, etc.) to
places where they can be latter retrieved using other mechanisms.
Solution/workarounds
This issue was explained in details in a mail sent to Francisco Burzi
<[4]fbc@mandrakesoft.com> (the author of PHP-Nuke) on October 9, 2001,
for which we received no reply. A second mail was sent on October 17,
2001, which wasn't replied either. We were not able to find any other
contact address on the PHP-Nuke web site. A final mail sent to some
standard contact address bounced.
Due to this, there's no official solution for this problem. A possible
workaround is to revoke access on the offending file to the web server
process; and/or use HTTP authentication to restrict access to the
flawed script, so that only trusted users may access it.
To deny file system access to the web server one may use the following
commands:
# cd php-nuke-document-root
# chmod 0 admin/case/case.filemanager.php
Consult your web server documentation to know how to restrict access
to that script based on login/password.
Additional Information
MASA:01-02:en Copyright © 2001 by Magnux Software, Rio de
Janeiro/Brazil. All rights reserved. This document may be copied and
distributed freely in electronic form, provided that you keep it
unchanged. Parts of it may be used unchanged and in electronic form
only without the need of explicitly author authorization, provided
that proper credits are given in the form "MASA:01-02:en from Magnux
Software (http://www.magnux.com/)". To copy or reprint the whole or
any part of this document in any other non-electronic medium, contact
<[5]masa@magnux.com>.
The information in this document may change without notice. The
information contained in this document is provided for _EDUCATIONAL
PURPOSE ONLY_ and without _ANY WARRANTY_. In no event shall the author
be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
This advisory and further updates, plus other advisories issued by
Magnux Software, can be found on the [6]MASA Advisories Page on the
[7]Magnux Software INTL web site. Question about Magnux Software may
be sent to <[8]admin@magnux.com>. GPG keys are available at
[9]http://www.magnux.com/gpg-keys.txt.
References
1. http://www.phpnuke.org/
2. http://www.php.net/
3. http://bugs.php.net/bug.php?id=13606
4. mailto:fbc@mandrakesoft.com
5. mailto:masa@magnux.com
6. http://intl.magnux.com/masa/
7. http://intl.magnux.com/
8. mailto:admin@magnux.com
9. http://www.magnux.com/gpg-keys.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE75uFwCd55iUBoMvYRAmvRAJ9VEtiS1rSl1b2Nwt8KJnFpA8u18wCgkLFE
Tf/rFeoAMlF76vZcOkiGJK8=
=xb3g
-----END PGP SIGNATURE-----
