Bugtraq mailing list archives
Re: [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke v7.3 and earlier
From: Remy Wetzels <r.wetzels () chello nl>
Date: 5 Jun 2004 12:50:33 -0000
In-Reply-To: <20040601184035.31371.qmail () www securityfocus com>
The process consists of capturing the currently executing script's path and filename with the global variable $_SERVER['PHP_SELF']. Using PHP's built-in function eregi(), this value is then compared against the script's name which should be the sole access point. Example: if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); } In this example, a file with the above snippet will continue executing if it was accessed by another file containing the letters "admin.php" (without quotes) otherwise the script aborts returning the words "Access Denied". Using eregi() with the NOT logical operator as done by PhpNuke's developers is a very poor way to control file access because anyone can easily manipulate a URL and add the missing component thereby forcing the security check to always evaluate to false and gain unfettered entry.
Using eregi is NOT the problem. The problem is the usage of $_SERVER['PHP_SELF'] which can't handle URL requests which have a slash ('/') as their first character in the query_string and thinks this is part of it's path. Using SCRIPT_NAME is much safer...
Current thread:
- [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke v7.3 and earlier Squid (Jun 01)
- <Possible follow-ups>
- Re: [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke v7.3 and earlier Remy Wetzels (Jun 05)
- Re: [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke v7.3 and earlier Squid (Jun 07)