IndyNews - PhpNuke module: several problems
by Nikola Strahija on February 14th, 2003 IndyNews is a PhpNuke add-on that allows users to include media files to articles. There are several problems with this add-on.
1) function delMediaFile()
- Anybody is able to delete any media attached to already approved articles.
2) function manageMedia()
- Anybody can delete any file owned by the user that runs the php script.
- Manipulating the cookie, you can modify the path of the uploaded files, so they can be saved wherever you want (into a directory writable by the process owner).
3) function editMediaDescr() and editMediaTempDescr()
- Anybody can edit the description of a media attached to an approved or pendent article.
Since the file description is showed through the HTML alt="" attribute, and no check is performed on its contents, it is possible to alter totally the layout of an article, so as inserting whatever link, image, javascript code etc.
Solution:
Patch is available here: http://www.bergamoblog.it/modules.php?name=Downloads&d_op=getit&lid=4
Discovered by:
Elisa Manara http://www.entropika.net
Sed Software Consortium info (at) sed-consortium.com
