-----BEGIN PGP SIGNED MESSAGE----- I. BACKGROUND PHP-Nuke is a popular Web portal system. Project homepage : http://www.phpnuke.org II. DESCRIPTION Remote attacker could transfer to server his own file or copy arbitrary file from system to accessible directory. The result of such acts could be remote execution commands under privileges of httpd server, or retrieving important information such as database login and password. Attacker even don't have to be registered user to make an attack,but needs writable directory. The crux of the problem lies in WebMail module, and exactly int mailattach.php file. This Module is default attached to PHP-nuke 6.0 ( current ). And even this module don't have to be active to make an attack successful, because it can be accessed directly ( no modules.php in $PHP_SELF check present in this file). snip from mailatach.php if (isset($userfile) AND $userfile != "none") { if (ini_get(file_uploads) AND $attachments == 1) { $updir = "tmp"; @copy($userfile, "$updir/$userfile_name"); Sample attack which allows an attacker to grab database password and login. http://target.server/modules/WebMail/mailattach.php? userfile=../../config.php&userfile_name=../attachments/file.txt& attachments=1 Using mailattach.php attacker could upload file with any extension, which allow him to upload any .php file and execute arbitrary PHP code. To successfully exploiting this vulnerability writable directory is needed. When module is active, the tmp and attachmenst should be writable to allow module work properly. III. ANALYSIS Remote exploitation allows an attacker to execute arbitrary commands and code under the privileges of the web server. This also opens the door to privilege escalation attacks. Attacker could also debug httpd child processes and grab secret information like users pop3 passwords used to authentication to remote pop3 server in WebMail module. Having database password he also has access to all information about users. IV. DETECTION PHP-nuke 6.0 with WebMail 0.9.3 is confirmed vulnerable. - -- Karol Więsek [appelast-at-bsquad.sm.pl] -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Bear Software, LLC, http://bear-software.freeservers.com iQCVAwUBPiWjO0KKOIVhErCVAQFW0AQAsxm9rEwQtGj+VTx0TSqjexCIVT3Z4YMi spBSb4v3YtY7nV8KplH4aFhxg54Rhl5IfqjHQqR0B+9rbOifrNnr5mCnspPFJqE6 mybb77loL52ix1+eIuFi+fv5tKYs8IGKP0cEoBokGB2PsxUwRSdJeI4FFK3uZ7sI XbaBKSCo8fQ= =rg6d -----END PGP SIGNATURE-----
