PDA

Bekijk Volledige Versie : php-nuke again ...



Karol =?iso-8859-2?Q?Wi=EAsek?=
21/01/03, 12:53
-----BEGIN PGP SIGNED MESSAGE-----

I. BACKGROUND

PHP-Nuke is a popular Web portal system.

Project homepage : http://www.phpnuke.org

II. DESCRIPTION

Remote attacker could transfer to server his own file or copy
arbitrary file from system to accessible directory. The result
of such acts could be remote execution commands under privileges
of httpd server, or retrieving important information such as
database login and password. Attacker even don't have to be
registered user to make an attack,but needs writable directory.

The crux of the problem lies in WebMail module, and exactly
int mailattach.php file. This Module is default attached to
PHP-nuke 6.0 ( current ). And even this module don't have to be
active to make an attack successful, because it can be accessed
directly ( no modules.php in $PHP_SELF check present in this file).

snip from mailatach.php

if (isset($userfile) AND $userfile != "none") {
if (ini_get(file_uploads) AND $attachments == 1) {
$updir = "tmp";
@copy($userfile, "$updir/$userfile_name");

Sample attack which allows an attacker to grab database password
and login.

http://target.server/modules/WebMail/mailattach.php?
userfile=../../config.php&userfile_name=../attachments/file.txt&
attachments=1

Using mailattach.php attacker could upload file with any extension,
which allow him to upload any .php file and execute arbitrary PHP
code.

To successfully exploiting this vulnerability writable directory is
needed.
When module is active, the tmp and attachmenst should be writable to
allow
module work properly.

III. ANALYSIS

Remote exploitation allows an attacker to execute arbitrary
commands and code under the privileges of the web server. This also
opens the door to privilege escalation attacks. Attacker could also
debug httpd child processes and grab secret information like users
pop3 passwords used to authentication to remote pop3 server in
WebMail
module. Having database password he also has access to all
information
about users.

IV. DETECTION

PHP-nuke 6.0 with WebMail 0.9.3 is confirmed vulnerable.

- --
Karol Wiêsek [appelast-at-bsquad.sm.pl]

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Bear Software, LLC, http://bear-software.freeservers.com

iQCVAwUBPiWjO0KKOIVhErCVAQFW0AQAsxm9rEwQtGj+VTx0TS qjexCIVT3Z4YMi
spBSb4v3YtY7nV8KplH4aFhxg54Rhl5IfqjHQqR0B+9rbOifrN nr5mCnspPFJqE6
mybb77loL52ix1+eIuFi+fv5tKYs8IGKP0cEoBokGB2PsxUwRS dJeI4FFK3uZ7sI
XbaBKSCo8fQ=
=rg6d
-----END PGP SIGNATURE-----