Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Date: Mon Sep 24 2001 - 14:31:16 CDT
twlc security divison
Php nuke BUGGED.
LucisFero and supergate
This time the bug is really dangerous...it allows you to 'cp' any file on
the box... or even upload files...
all the versions ARE vulnerable
except '5.0 RC1' (i wonder why a released c. is ok while the final 5.2 is
Do you need sql password?
the admin 'login' page will be prompted just go to
http://www.server.net/images/hacked.txt and you will see config.php that as
everyone knows contain the sql's passwords, you can even upload files...i
leave you the 'fun' to find all the ways to use it... and try to dont be a
SCRIPT KIDDIE we wrote this advisory to help who runs php nuke and NOT TO
LET YOU HAVE FUN.
let me explain you the bug... admin.php contains this routine:
$basedir = dirname($SCRIPT_FILENAME);
$textrows = 20;
$textcols = 85;
$udir = dirname($PHP_SELF);
$lastaction = ""._UPLOADED." $userfile_name --> $wdir";
// This need a rewrite -------------------------------------> OMG! WE
chdir($basedir . $wdir2);
that doesnt do a check to see if you are logged as admin or no... so you can
use it anyway...
we erased the function... cause we wanted to remove the file manager anyway
but i suggest you to do the same... -to upload files use FTP-
yet another bug of php nuke... this software is used by thousands of
people... (we run something based on it too) i hope that this time the
author will reply soon and will release a patch too! as i said before just
dont try to be a script kiddie or we simply WONT post anymore this kind of
advisories. Prolly the funny thing is that who first discovered the bug was
LucisFero that... 2 hours before didnt knew php ... so i (supergate) fear
him and you should too.
http://www.twlc.net article http://www.twlc.net/article.php?sid=421
http://www.phpnuke.org -good luck-
http://sourceforge.net/tracker/?group_id=7511 Project: PHP-Nuke Web Portal
and of course mailed to the author of php nuke
contacts (bugs, ideas, insults, cool girls... remember that trojans are
directed to /dev/null):
http://www.twlc.net (yes we are patched)
peace out pimps. bella a tutti.