Re: Question about .eml files I am finding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This exploit can cause it to write to directories not even included in that
web root? These files are in a totally different web root. I have a few
virtual servers running on this machine
basically file structure is setup like this

/home/
    /dom/
        /virtual1 and here
        /virtual2 myphpnuke here
        /virtual3 files found here
        /virtual4 here
        /virtual5 and here

So this vulnerablitly can go all out side the web root?

Matt
----- Original Message -----
From: David Correa <tech@linux-tech.com>
To: Matt Jezorek <matt@bluelinux.org>
Cc: <security-discuss@linuxsecurity.com>
Sent: Saturday, November 10, 2001 9:13 PM
Subject: Re: Question about .eml files I am finding


> Matt,
>
> This is a known problem
> Check on the securityfocus website for more info =>
>
> Date: Mon, 5 Nov 2001 17:19:45 -0200 (BRST)
> From: masa@magnux.com
> To: BUGTRAQ Mailing List <bugtraq@securityfocus.com>
> Subject: Copying and Deleting Files Using PHP-Nuke
>
> MASA:01-02:en - Copying and Deleting Files Using PHP-Nuke
>
>    Magnux Software Advisory - $Date: 2001/11/05 18:57:50 $
>
> Overview
>
>    [1]PHP-Nuke is a popular web portal creation system written in [2]the
>    PHP language. Some PHP-Nuke versions has a security flaw that allow a
>    malicious user to copy and delete arbitrary files on the server
>    machine. If the malicious user are able to upload files to the web
>    server using some mechanism (e.g. anonymous FTP), he/she may be able
>    to copy PHP scripts to the web server document root and have then
>    interpreted by the scripting engine, which would allow he/she to run
>    commands on the machine remotely. Copying and deleting files will be
>    subject to the permissions of the user id the web server is running
>    as. However it's a common scenario to give the server write access to
>    PHP-Nuke directories, or at least some key files, so that site
>    administration can be performed using a web browser. This is explained
>    in details on the PHP-Nuke INSTALL file.
>
> Detailed Description
>
>    The admin/case/case.filemanager.php script contains code to abort
>    execution if it is being called directly by the user, instead of being
>    included by the admin.php script. The code check if the string
>    admin.php is present anywhere on the $PHP_SELF PHP variable, as an
>    indication that the file is being included by the aforementioned
>    script. Due to [3]a bug in PHP, a malicious user may insert the
>    searched string on the $PHP_SELF variable and thus make the test
>    always pass. Together with the use of automatic PHP global variables
>    from query string parameters, this flaw may be exploited to direct the
>    script to copy and delete arbitrary files on the server file system.
>    For example, the following URL will exploit the flaw to copy the file
>    php-nuke-document-root/config.php to
>    /var/ftp/incoming/phpnuke-config.txt:
>
> <cut>
> Solution/workarounds
>
>    This issue was explained in details in a mail sent to Francisco Burzi
>    <[4]fbc@mandrakesoft.com> (the author of PHP-Nuke) on October 9, 2001,
>    for which we received no reply. A second mail was sent on October 17,
>    2001, which wasn't replied either. We were not able to find any other
>    contact address on the PHP-Nuke web site. A final mail sent to some
>    standard contact address bounced.
>
>    Due to this, there's no official solution for this problem. A possible
>    workaround is to revoke access on the offending file to the web server
>    process; and/or use HTTP authentication to restrict access to the
>    flawed script, so that only trusted users may access it.
>
>    To deny file system access to the web server one may use the following
>    commands:
>
> # cd php-nuke-document-root
> # chmod 0 admin/case/case.filemanager.php
>
>    Consult your web server documentation to know how to restrict access
>    to that script based on login/password.
> <cut>
>
> On Sat, 10 Nov 2001, Matt Jezorek wrote:
>
> > Date: Sat, 10 Nov 2001 20:28:42 -0500
> > From: Matt Jezorek <matt@bluelinux.org>
> > To: David Correa <tech@linux-tech.com>
> > Subject: Re: Question about .eml files I am finding
> >
> > I am running PHP and a MyPHPnuke for a friend on that server. By the way
all
> > emails contain the readme.exe with the content type of a wav file which
if I
> > am not mistaken was a bi product of nimda?
>
> > ----- Original Message -----
> > From: David Correa <tech@linux-tech.com>
> > To: Matt Jezorek <matt@owsc.org>
> > Sent: Saturday, November 10, 2001 9:04 PM
> > Subject: Re: Question about .eml files I am finding
> >
> >
> > >
> > > Are you running PHP and PHPNuke?
> > > dc
> > >
> > > On Sat, 10 Nov 2001, Matt Jezorek wrote:
> > >
> > > > Date: Sat, 10 Nov 2001 20:20:55 -0500
> > > > From: Matt Jezorek <matt@owsc.org>
> > > > Reply-To: security-discuss@linuxsecurity.com
> > > > To: security-discuss@linuxsecurity.com
> > > > Subject: Question about .eml files I am finding
> > > >
> > > >
> > > > I am finding files on my filesystem mostly where apache has access
and I
> > have no clue why they are showing up on my server nor can I find any
> > information in my logs
> > > >
> > > > Here is the Directory Listing
>
> David Correa RHCE CCNA    _    _ _  _ _  _ _  _    ___ ____ ____ _  _
> tech@linux-tech.com       |    | |\ | |  |  \/      |  |___ |    |__|
> http://www.linux-tech.com |___ | | \| |__| _/\_     |  |___ |___ |  |
>
>

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux