Vulnerability

    phpnuke

Affected

    phpnuke

Description

    Joao Gouveia found following.  There is yet another security  flaw
    with the new phpnuke version.  Look here (quote opendir.php):

        (...)
        $REQUEST_URI = strip_tags($REQUEST_URI);
        $res = explode("$PHP_SELF?", $REQUEST_URI);
        $odp_cat = $res[1];
        if (substr($odp_cat,0,1) == "/") $odp_cat = substr($odp_cat,1);
        (define $requesturl)
        (...)

    So,  you're   defining  $requesturl   based  on   something   like
    /folder/page just after the call to opendir.php.  This is no good,
    one can simply just don't suply a '/' as the first argument,  thus
    allowing to assign our own $requesturl.  Example:

        http://www.phpnuke.org/opendir.php?requesturl=/etc/passwd

    You can actually insert any URL instead of "/etc/passwd" and  have
    it read.  Depending on  the server's configuration, this could  be
    abused to  execute PHP  code, probably,  and from  that, any  UNIX
    shell command.  The author obviously doesn't care about  security.
    He makes it perfectly clear in the installation instructions:

        "3) In order to use the File Manager, please be sure to  chmod
            666 ALL files and 777 ALL directories.
         4) Also, to  activate Headlines you  "need" to chmod  777 the
            "cache" directory, otherwise headlines won't work."

    It's a nice piece of software, otherwise.  Just have to be careful
    about which part to use..

Solution

    This  problem  is  known  and  fixed  by  the author and a patched
    opendir.php file have  been made availible  for download from  the
    phpnuke home site.  Patched opendir.php:

        http://www.phpnuke.org/download.php?op=mydown&did=64