Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Php-nuke 6.0 bug

Php-nuke 6.0 bug

by Nikola Strahija on January 22nd, 2003 Remote attacker could transfer to server his own file or copy arbitrary file from system to accessible directory.


PHP-Nuke is a popular Web portal system.

Project homepage : http://www.phpnuke.org

II. DESCRIPTION

Remote attacker could transfer to server his own file or copy
arbitrary file from system to accessible directory. The result
of such acts could be remote execution commands under privileges
of httpd server, or retrieving important information such as
database login and password. Attacker even don't have to be
registered user to make an attack,but needs writable directory.

The crux of the problem lies in WebMail module, and exactly
int mailattach.php file. This Module is default attached to
PHP-nuke 6.0 ( current ). And even this module don't have to be
active to make an attack successful, because it can be accessed
directly ( no modules.php in $PHP_SELF check present in this file).

snip from mailatach.php

if (isset($userfile) AND $userfile != "none") {
if (ini_get(file_uploads) AND $attachments == 1) {
$updir = "tmp";
@copy($userfile, "$updir/$userfile_name");

Sample attack which allows an attacker to grab database password
and login.

http://target.server/modules/WebMail/mailattach.php?
userfile=../../config.php&userfile_name=../attachments/file.txt&
attachments=1

Using mailattach.php attacker could upload file with any extension,
which allow him to upload any .php file and execute arbitrary PHP
code.

To successfully exploiting this vulnerability writable directory is
needed.
When module is active, the tmp and attachmenst should be writable to
allow
module work properly.

III. ANALYSIS

Remote exploitation allows an attacker to execute arbitrary
commands and code under the privileges of the web server. This also
opens the door to privilege escalation attacks. Attacker could also
debug httpd child processes and grab secret information like users
pop3 passwords used to authentication to remote pop3 server in
WebMail
module. Having database password he also has access to all
information
about users.

IV. DETECTION

PHP-nuke 6.0 with WebMail 0.9.3 is confirmed vulnerable.

- --
Karol WiÍsek [appelast-at-bsquad.sm.pl]


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »