Re: [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke v7.3 and earlier

[Remy Wetzels <r.wetzels () chello nl>]

In-Reply-To: <20040601184035.31371.qmail () www securityfocus com>


> The process consists of capturing the currently executing script's path and 
> filename with the global variable $_SERVER['PHP_SELF'].  Using PHP's built-in 
> function eregi(), this value is then compared against the script's name 
> which should be the sole access point.
>
> Example:
> if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
>
> In this example, a file with the above snippet will continue executing if 
> it was accessed by another file containing the letters "admin.php" (without 
> quotes) otherwise the script aborts returning the words "Access Denied".  
>
> Using eregi() with the NOT logical operator as done by PhpNuke's developers 
> is a very poor way to control file access because anyone can easily 
> manipulate a URL and add the missing component thereby forcing the security 
> check to always evaluate to false and gain unfettered entry.

Using eregi is NOT the problem. The problem is the usage of $_SERVER['PHP_SELF'] which can't handle URL requests which 
have a slash ('/') as their first character in the query_string and thinks this is part of it's path. Using SCRIPT_NAME 
is much safer...