Bugtraq mailing list archives

Fwd: Re: phpnuke, security problem...

From: Joao Gouveia <tharbad () kaotik org>
Date: Mon, 12 Feb 2001 11:07:15 -0000

Hi,

Due to this reply, i see no reason to delay this. No patch nor new version has
been released, for a quick fix, see below.

Regards,

Joao Gouveia
------------
tharbad () kaotik org


 Francisco Burzi <fburzi () ncc org ve>

Joao Gouveia wrote:


Helo Francisco,

There is yet another security flaw with the new phpnuke version.
Look here:
<quote opendir.php>
(...)
$REQUEST_URI = strip_tags($REQUEST_URI);
$res = explode("$PHP_SELF?", $REQUEST_URI);
$odp_cat = $res[1];
if (substr($odp_cat,0,1) == "/") $odp_cat = substr($odp_cat,1);
(define $requesturl)
(...)
</quote>
So, you're defining $requesturl based on something like /folder/page just
after the call to opendir.php.
This is no good, one can simply just don't suply a '/' as the first

argument,

thus allowing to assign our own $requesturl.
Example: http://www.phpnuke.org/opendir.php?requesturl=/etc/passwd

A simple quick fix would be initiating $requesturl anywhere in the

begining

of the script.
<quote>
$requesturl="";
</quote>

Best regards

Joao Gouveia
------------
tharbad () kaotik org


Yeah... but just say to me what can you do with a passwd file? just
nothing. The important file isn't passwd, is /etc/shadow, right? and you
get permission denied on that file... IF you get it you'll need a
supercomputer to crack md5 passwords. Just my thoughts. /etc/passwd had
problems in the past where crypted passwords was stored in, but now that
problem is no more.


Best Regards!
=============================================
 ____  _   _ ____       _   _       _
|  _ \| | | |  _ \     | \ | |_   _| | _____
| |_) | |_| | |_) | __ |  \| | | | | |/ / _ \
|  __/|  _  |  __/ |__|| |\  | |_| |   <  __/
|_|   |_| |_|_|        |_| \_|\__,_|_|\_\___|
=============================================
         Francisco Burzi (NuKeLiTe)
              fburzi () ncc org ve
PHP-Nuke.............................NukeNews
http://phpnuke.org        http://nukenews.com
=============================================




--

Joao Gouveia
------------
tharbad () kaotik org

Current thread:

Fwd: Re: phpnuke, security problem... Joao Gouveia (Feb 12)
- Re: Fwd: Re: phpnuke, security problem... Peter van Dijk (Feb 12)
  - Re: Fwd: Re: phpnuke, security problem... Thomas J. Stensas (Feb 13)
  - Re: Fwd: Re: phpnuke, security problem... sam mulvey (Feb 13)