|
Vulnerability phpnuke Affected phpnuke Description Joao Gouveia found following. There is yet another security flaw with the new phpnuke version. Look here (quote opendir.php): (...) $REQUEST_URI = strip_tags($REQUEST_URI); $res = explode("$PHP_SELF?", $REQUEST_URI); $odp_cat = $res[1]; if (substr($odp_cat,0,1) == "/") $odp_cat = substr($odp_cat,1); (define $requesturl) (...) So, you're defining $requesturl based on something like /folder/page just after the call to opendir.php. This is no good, one can simply just don't suply a '/' as the first argument, thus allowing to assign our own $requesturl. Example: http://www.phpnuke.org/opendir.php?requesturl=/etc/passwd You can actually insert any URL instead of "/etc/passwd" and have it read. Depending on the server's configuration, this could be abused to execute PHP code, probably, and from that, any UNIX shell command. The author obviously doesn't care about security. He makes it perfectly clear in the installation instructions: "3) In order to use the File Manager, please be sure to chmod 666 ALL files and 777 ALL directories. 4) Also, to activate Headlines you "need" to chmod 777 the "cache" directory, otherwise headlines won't work." It's a nice piece of software, otherwise. Just have to be careful about which part to use.. Solution This problem is known and fixed by the author and a patched opendir.php file have been made availible for download from the phpnuke home site. Patched opendir.php: http://www.phpnuke.org/download.php?op=mydown&did=64