Copying and Deleting Files Using PHP-Nuke

[<masa () magnux com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MASA:01-02:en - Copying and Deleting Files Using PHP-Nuke

   Magnux Software Advisory - $Date: 2001/11/05 18:57:50 $

Overview

   [1]PHP-Nuke is a popular web portal creation system written in [2]the
   PHP language. Some PHP-Nuke versions has a security flaw that allow a
   malicious user to copy and delete arbitrary files on the server
   machine. If the malicious user are able to upload files to the web
   server using some mechanism (e.g. anonymous FTP), he/she may be able
   to copy PHP scripts to the web server document root and have then
   interpreted by the scripting engine, which would allow he/she to run
   commands on the machine remotely. Copying and deleting files will be
   subject to the permissions of the user id the web server is running
   as. However it's a common scenario to give the server write access to
   PHP-Nuke directories, or at least some key files, so that site
   administration can be performed using a web browser. This is explained
   in details on the PHP-Nuke INSTALL file.

Detailed Description

   The admin/case/case.filemanager.php script contains code to abort
   execution if it is being called directly by the user, instead of being
   included by the admin.php script. The code check if the string
   admin.php is present anywhere on the $PHP_SELF PHP variable, as an
   indication that the file is being included by the aforementioned
   script. Due to [3]a bug in PHP, a malicious user may insert the
   searched string on the $PHP_SELF variable and thus make the test
   always pass. Together with the use of automatic PHP global variables
   from query string parameters, this flaw may be exploited to direct the
   script to copy and delete arbitrary files on the server file system.
   For example, the following URL will exploit the flaw to copy the file
   php-nuke-document-root/config.php to
   /var/ftp/incoming/phpnuke-config.txt:

http://example.org/admin/case/case.filemanager.php/admin.php?op=move&;
confirm=1&do=copy&basedir=&file=../../config.php&
newfile=/var/ftp/pub/incoming/phpnuke-config.txt

   The next example illustrates how a malicious user can copy a
   previously uploaded file (/var/ftp/pub/incoming/foobar.gif) to a PHP
   script (evil.php) under the web server document root:

http://example.org/admin/case/case.filemanager.php/admin.php?op=move&;
confirm=1&do=copy&basedir=&file=/var/ftp/pub/incoming/foobar.gif&
newfile=evil.php

   The following URL may be used to delete the file /tmp/foo on the
   server:

http://example.org/admin/case/case.filemanager.php/admin.php?op=del&;
confirm=1&basedir=&file=/tmp/foo

     Note: The URLs were split into separate lines for formatting
     reasons only. You must join the lines together to form the final
     URLs.

Impact

   Remote users can copy and delete arbitrary files on the server system,
   subject to web server user id restrictions.

Who is Affected

   This flaw was found in PHP-Nuke 5.2. Other versions were not tested.

     Note: Installations where the web server has no write access to the
     web server document root are _not safe_. This vulnerability allow a
     malicious user to access _any_ directory on the server file system
     -- this can be used to copy sensitive system files (e.g.
     /etc/passwd, web server basic authentication passwords, etc.) to
     places where they can be latter retrieved using other mechanisms.

Solution/workarounds

   This issue was explained in details in a mail sent to Francisco Burzi
   <[4]fbc () mandrakesoft com> (the author of PHP-Nuke) on October 9, 2001,
   for which we received no reply. A second mail was sent on October 17,
   2001, which wasn't replied either. We were not able to find any other
   contact address on the PHP-Nuke web site. A final mail sent to some
   standard contact address bounced.

   Due to this, there's no official solution for this problem. A possible
   workaround is to revoke access on the offending file to the web server
   process; and/or use HTTP authentication to restrict access to the
   flawed script, so that only trusted users may access it.

   To deny file system access to the web server one may use the following
   commands:

# cd php-nuke-document-root
# chmod 0 admin/case/case.filemanager.php

   Consult your web server documentation to know how to restrict access
   to that script based on login/password.

Additional Information

   MASA:01-02:en Copyright © 2001 by Magnux Software, Rio de
   Janeiro/Brazil. All rights reserved. This document may be copied and
   distributed freely in electronic form, provided that you keep it
   unchanged. Parts of it may be used unchanged and in electronic form
   only without the need of explicitly author authorization, provided
   that proper credits are given in the form "MASA:01-02:en from Magnux
   Software (http://www.magnux.com/)". To copy or reprint the whole or
   any part of this document in any other non-electronic medium, contact
   <[5]masa () magnux com>.

   The information in this document may change without notice. The
   information contained in this document is provided for _EDUCATIONAL
   PURPOSE ONLY_ and without _ANY WARRANTY_. In no event shall the author
   be liable for any damages whatsoever arising out of or in connection
   with the use or spread of this information. Any use of this
   information is at the user's own risk.

   This advisory and further updates, plus other advisories issued by
   Magnux Software, can be found on the [6]MASA Advisories Page on the
   [7]Magnux Software INTL web site. Question about Magnux Software may
   be sent to <[8]admin () magnux com>. GPG keys are available at
   [9]http://www.magnux.com/gpg-keys.txt.

References

   1. http://www.phpnuke.org/
   2. http://www.php.net/
   3. http://bugs.php.net/bug.php?id=13606
   4. mailto:fbc () mandrakesoft com
   5. mailto:masa () magnux com
   6. http://intl.magnux.com/masa/
   7. http://intl.magnux.com/
   8. mailto:admin () magnux com
   9. http://www.magnux.com/gpg-keys.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE75uFwCd55iUBoMvYRAmvRAJ9VEtiS1rSl1b2Nwt8KJnFpA8u18wCgkLFE
Tf/rFeoAMlF76vZcOkiGJK8=
=xb3g
-----END PGP SIGNATURE-----