Re: [Full-Disclosure] Possible bug in PHPNuke and other CMS

From: Sam Bashton (sam_at_ipsupport.co.uk)
Date: 06/01/04

  • Next message: sudharsha: "[Full-Disclosure] watch guard"
    To: Luca Falavigna <fala83@libero.it>
    Date: Tue, 1 Jun 2004 08:09:54 +0100
    
    

    On Sun, May 30, 2004 at 04:53:18PM +0200, Luca Falavigna wrote:
    > There is a vulnerability in PHPNuke that permits execution of arbitrary
    > SQL queries on a database located in the same server of an attacker's
    > account. This is the procedure: first of all attacker must create a
    > symlink pointing to victim's db directory in PHPNuke home directory
    > because of mainfile.php include method. After that he can build a simple
    > php code executing a query to the PHPNuke database. Here is an example:
    >
    > <?php
    > require_once ("/location_of_victim's_PHPNuke/mainfile.php");
    > $sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors");
    > while($record = $db->sql_fetchrow($sql))
    > ~ echo "Username: $record[aid]\n<br>\nPassword: $record[pwd]\n<br><br>\n";
    > unset($sql);
    > ?>

    This is an administration issue rather than a security vulnerability.
    In order to use this attack the attacker requires access to:

    1. Another site on the victim's server
    2. A sufficiently poorly administered server on which (s)he can:
        a. Create a symlink
        or
        b. Specify an absolute path for includes

    Those hosting multiple PHP sites ought to be using PHP's open_basedir
    directive to limit the files that can be opened by PHP. If this isn't
    being used they are plenty of other easy attacks open to anyone with an
    account on the same server.
        

    -- 
    Sam Bashton
    Systems Administrator
    IP Support 
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: sudharsha: "[Full-Disclosure] watch guard"

    Relevant Pages

    • Re: [Full-Disclosure] Possible bug in PHPNuke and other CMS
      ... > There is a vulnerability in PHPNuke that permits execution of arbitrary ... In order to use this attack the attacker requires access to: ... Another site on the victim's server ...
      (Bugtraq)
    • Re: [Full-Disclosure] Possible bug in PHPNuke and other CMS
      ... > There is a vulnerability in PHPNuke that permits execution of arbitrary ... In order to use this attack the attacker requires access to: ... Another site on the victim's server ...
      (Full-Disclosure)
    • RE: Is this as bad as it seems?
      ... The network being protected by the router or firewall is still vulnerable to ... > circumvented - the administrator has explicitly allowed HTTP traffic on ... this exploit has the effect of allowing the attacker to send *INBOUND* HTTP ... The HTTP server (located on the internal network or anywhere else that is ...
      (Security-Basics)
    • [NEWS] Firewall Circumvention Possible with All Browsers
      ... The exploit allows an attacker to use any JavaScript-enabled web browser ... any HTTP server behind the firewall. ... outlined in the section "Quick-Swap DNS". ... If the client in use is Microsoft Internet Explorer, ...
      (Securiteam)
    • [NT] Unchecked Buffer in Network Share Provider Can Lead to Denial of Service
      ... SMB (Server Message Block) is the protocol Microsoft uses to share files, ... The attacker could use both a user account and anonymous access to ... What's the scope of the vulnerability? ...
      (Securiteam)