--[ Network Tool 0.2 Addon for PHPNuke vulnerable to remote command execution ]-- Problem discovered: 16/11/2001 by Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com http://www.isecurelabs.com/article.php?sid=209 --[ Description ]-- This Phpnuke addon includes web frontends for the following *nix commands: - Nmap - Ping - Traceroute. --[ Problem ]-- Network Tool 0.2 does not check for special meta-characters like &;`'"|*?~<>^()[]{}$ comming from the $hostinput variable. Asking the Php script for Pinging, Nmap, or traceroute this kind of adresse <www.somehost.com;ls -al> will allow any user to run " ls -al " command as whatever user runs the web server. --[ Fix ]-- Coders have been alerted Temp fix: $hostinput = system(escapeshellcmd($hostinput)); --[ Informations about Network Tool 0.2 ]-- http://phpnukerz.org/modules.php?name=Downloads&d_op=viewsdownload&sid=32 Author: Rick Fournier (rick@help-desk.ca) --- Cabezon Aurélien http://www.iSecureLabs.com aurelien.cabezon@iSecureLabs.com
