COMMAND

	PHPNuke

SYSTEMS AFFECTED

	PHPNuke 5.2

PROBLEM

	in  Magnux  Software  Advisory  MASA:01-02:en   from   Magnux   Software
	(http://www.magnux.com/), a security flaw that allow  a  malicious  user
	to copy and delete arbitrary  files  on  the  server  machine  has  been
	discovered.
	

	If the malicious user are able to upload files to the web  server  using
	some mechanism (e.g. anonymous FTP), he/she may  be  able  to  copy  PHP
	scripts to the web server document root and  have  then  interpreted  by
	the scripting engine, which would allow he/she to run  commands  on  the
	machine remotely. Copying and deleting files  will  be  subject  to  the
	permissions of the user id the web server is running as.  However  it\'s
	a  common  scenario  to  give  the  server  write  access  to   PHP-Nuke
	directories, or at least some key files,  so  that  site  administration
	can be performed using a web browser. This is explained  in  details  on
	the PHP-Nuke INSTALL file.
	

	 Detailed Description

	 ====================

	

	The  admin/case/case.filemanager.php  script  contains  code  to   abort
	execution if it is being called directly by the user, instead  of  being
	included  by  the  admin.php  script.  The  code  check  if  the  string
	admin.php is present anywhere on  the  $PHP_SELF  PHP  variable,  as  an
	indication that  the  file  is  being  included  by  the  aforementioned
	script. Due to [3]a  bug  in  PHP,  a  malicious  user  may  insert  the
	searched string on the $PHP_SELF variable and thus make the test  always
	pass. Together with the use  of  automatic  PHP  global  variables  from
	query string parameters, this  flaw  may  be  exploited  to  direct  the
	script to copy and delete arbitrary files on  the  server  file  system.
	For example, the following URL will exploit the flaw to  copy  the  file
	php-nuke-document-root/config.php                                     to
	/var/ftp/incoming/phpnuke-config.txt:
	

	

	http://example.org/admin/case/case.filemanager.php/admin.php?op=move&confirm=1&do=copy&basedir=&file=../../config.php&newfile=/var/ftp/pub/incoming/phpnuke-config.txt

	

	

	The next example illustrates how a malicious user can copy a  previously
	uploaded  file  (/var/ftp/pub/incoming/foobar.gif)  to  a   PHP   script
	(evil.php) under the web server document root:
	

	

	http://example.org/admin/case/case.filemanager.php/admin.php?op=move&confirm=1&do=copy&basedir=&file=/var/ftp/pub/incoming/foobar.gif&newfile=evil.php

	

	

	The following URL may be  used  to  delete  the  file  /tmp/foo  on  the
	server:
	

	

	http://example.org/admin/case/case.filemanager.php/admin.php?op=del&confirm=1&basedir=&file=/tmp/foo

	

	

	

	 Who is Affected

	 ================

	This flaw was found in PHP-Nuke 5.2. Other versions were not tested.
	

	Note: Installations where the web server has no write access to the  web
	server  document  root  are  _not  safe_.  This  vulnerability  allow  a
	malicious user to access _any_ directory on the server  file  system  --
	this can be used to copy sensitive system files (e.g.  /etc/passwd,  web
	server basic authentication passwords, etc.) to places  where  they  can
	be latter retrieved using other mechanisms.
	

	

SOLUTION

	A possible workaround is to revoke access on the offending file  to  the
	web server process; and/or use HTTP authentication  to  restrict  access
	to the flawed script, so that only trusted users may access it.
	

	To deny file system access to the web server one may use  the  following
	commands:
	

	

	# cd php-nuke-document-root

	# chmod 0 admin/case/case.filemanager.php

	

	

	Consult your web server documentation to know how to restrict access  to
	that script based on login/password.