Matt, This is a known problem Check on the securityfocus website for more info => Date: Mon, 5 Nov 2001 17:19:45 -0200 (BRST) From: masa@magnux.com To: BUGTRAQ Mailing List <bugtraq@securityfocus.com> Subject: Copying and Deleting Files Using PHP-Nuke MASA:01-02:en - Copying and Deleting Files Using PHP-Nuke Magnux Software Advisory - $Date: 2001/11/05 18:57:50 $ Overview [1]PHP-Nuke is a popular web portal creation system written in [2]the PHP language. Some PHP-Nuke versions has a security flaw that allow a malicious user to copy and delete arbitrary files on the server machine. If the malicious user are able to upload files to the web server using some mechanism (e.g. anonymous FTP), he/she may be able to copy PHP scripts to the web server document root and have then interpreted by the scripting engine, which would allow he/she to run commands on the machine remotely. Copying and deleting files will be subject to the permissions of the user id the web server is running as. However it's a common scenario to give the server write access to PHP-Nuke directories, or at least some key files, so that site administration can be performed using a web browser. This is explained in details on the PHP-Nuke INSTALL file. Detailed Description The admin/case/case.filemanager.php script contains code to abort execution if it is being called directly by the user, instead of being included by the admin.php script. The code check if the string admin.php is present anywhere on the $PHP_SELF PHP variable, as an indication that the file is being included by the aforementioned script. Due to [3]a bug in PHP, a malicious user may insert the searched string on the $PHP_SELF variable and thus make the test always pass. Together with the use of automatic PHP global variables from query string parameters, this flaw may be exploited to direct the script to copy and delete arbitrary files on the server file system. For example, the following URL will exploit the flaw to copy the file php-nuke-document-root/config.php to /var/ftp/incoming/phpnuke-config.txt: <cut> Solution/workarounds This issue was explained in details in a mail sent to Francisco Burzi <[4]fbc@mandrakesoft.com> (the author of PHP-Nuke) on October 9, 2001, for which we received no reply. A second mail was sent on October 17, 2001, which wasn't replied either. We were not able to find any other contact address on the PHP-Nuke web site. A final mail sent to some standard contact address bounced. Due to this, there's no official solution for this problem. A possible workaround is to revoke access on the offending file to the web server process; and/or use HTTP authentication to restrict access to the flawed script, so that only trusted users may access it. To deny file system access to the web server one may use the following commands: # cd php-nuke-document-root # chmod 0 admin/case/case.filemanager.php Consult your web server documentation to know how to restrict access to that script based on login/password. <cut> On Sat, 10 Nov 2001, Matt Jezorek wrote: > Date: Sat, 10 Nov 2001 20:28:42 -0500 > From: Matt Jezorek <matt@bluelinux.org> > To: David Correa <tech@linux-tech.com> > Subject: Re: Question about .eml files I am finding > > I am running PHP and a MyPHPnuke for a friend on that server. By the way all > emails contain the readme.exe with the content type of a wav file which if I > am not mistaken was a bi product of nimda? > ----- Original Message ----- > From: David Correa <tech@linux-tech.com> > To: Matt Jezorek <matt@owsc.org> > Sent: Saturday, November 10, 2001 9:04 PM > Subject: Re: Question about .eml files I am finding > > > > > > Are you running PHP and PHPNuke? > > dc > > > > On Sat, 10 Nov 2001, Matt Jezorek wrote: > > > > > Date: Sat, 10 Nov 2001 20:20:55 -0500 > > > From: Matt Jezorek <matt@owsc.org> > > > Reply-To: security-discuss@linuxsecurity.com > > > To: security-discuss@linuxsecurity.com > > > Subject: Question about .eml files I am finding > > > > > > > > > I am finding files on my filesystem mostly where apache has access and I > have no clue why they are showing up on my server nor can I find any > information in my logs > > > > > > Here is the Directory Listing David Correa RHCE CCNA _ _ _ _ _ _ _ _ ___ ____ ____ _ _ tech@linux-tech.com | | |\ | | | \/ | |___ | |__| http://www.linux-tech.com |___ | | \| |__| _/\_ | |___ |___ | | ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
