Re: Question about .eml files I am finding

From: Matt Jezorek (matt@bluelinux.org)
Date: 11/11/01


Message-ID: <01c701c16a52$040b5a80$6501a8c0@nc.rr.com>
From: "Matt Jezorek" <matt@bluelinux.org>
To: "David Correa" <tech@linux-tech.com>
Subject: Re: Question about .eml files I am finding
Date: Sat, 10 Nov 2001 20:41:42 -0500

This exploit can cause it to write to directories not even included in that
web root? These files are in a totally different web root. I have a few
virtual servers running on this machine
basically file structure is setup like this

/home/
    /dom/
        /virtual1 and here
        /virtual2 myphpnuke here
        /virtual3 files found here
        /virtual4 here
        /virtual5 and here

So this vulnerablitly can go all out side the web root?

Matt
----- Original Message -----
From: David Correa <tech@linux-tech.com>
To: Matt Jezorek <matt@bluelinux.org>
Cc: <security-discuss@linuxsecurity.com>
Sent: Saturday, November 10, 2001 9:13 PM
Subject: Re: Question about .eml files I am finding

> Matt,
>
> This is a known problem
> Check on the securityfocus website for more info =>
>
> Date: Mon, 5 Nov 2001 17:19:45 -0200 (BRST)
> From: masa@magnux.com
> To: BUGTRAQ Mailing List <bugtraq@securityfocus.com>
> Subject: Copying and Deleting Files Using PHP-Nuke
>
> MASA:01-02:en - Copying and Deleting Files Using PHP-Nuke
>
> Magnux Software Advisory - $Date: 2001/11/05 18:57:50 $
>
> Overview
>
> [1]PHP-Nuke is a popular web portal creation system written in [2]the
> PHP language. Some PHP-Nuke versions has a security flaw that allow a
> malicious user to copy and delete arbitrary files on the server
> machine. If the malicious user are able to upload files to the web
> server using some mechanism (e.g. anonymous FTP), he/she may be able
> to copy PHP scripts to the web server document root and have then
> interpreted by the scripting engine, which would allow he/she to run
> commands on the machine remotely. Copying and deleting files will be
> subject to the permissions of the user id the web server is running
> as. However it's a common scenario to give the server write access to
> PHP-Nuke directories, or at least some key files, so that site
> administration can be performed using a web browser. This is explained
> in details on the PHP-Nuke INSTALL file.
>
> Detailed Description
>
> The admin/case/case.filemanager.php script contains code to abort
> execution if it is being called directly by the user, instead of being
> included by the admin.php script. The code check if the string
> admin.php is present anywhere on the $PHP_SELF PHP variable, as an
> indication that the file is being included by the aforementioned
> script. Due to [3]a bug in PHP, a malicious user may insert the
> searched string on the $PHP_SELF variable and thus make the test
> always pass. Together with the use of automatic PHP global variables
> from query string parameters, this flaw may be exploited to direct the
> script to copy and delete arbitrary files on the server file system.
> For example, the following URL will exploit the flaw to copy the file
> php-nuke-document-root/config.php to
> /var/ftp/incoming/phpnuke-config.txt:
>
> <cut>
> Solution/workarounds
>
> This issue was explained in details in a mail sent to Francisco Burzi
> <[4]fbc@mandrakesoft.com> (the author of PHP-Nuke) on October 9, 2001,
> for which we received no reply. A second mail was sent on October 17,
> 2001, which wasn't replied either. We were not able to find any other
> contact address on the PHP-Nuke web site. A final mail sent to some
> standard contact address bounced.
>
> Due to this, there's no official solution for this problem. A possible
> workaround is to revoke access on the offending file to the web server
> process; and/or use HTTP authentication to restrict access to the
> flawed script, so that only trusted users may access it.
>
> To deny file system access to the web server one may use the following
> commands:
>
> # cd php-nuke-document-root
> # chmod 0 admin/case/case.filemanager.php
>
> Consult your web server documentation to know how to restrict access
> to that script based on login/password.
> <cut>
>
> On Sat, 10 Nov 2001, Matt Jezorek wrote:
>
> > Date: Sat, 10 Nov 2001 20:28:42 -0500
> > From: Matt Jezorek <matt@bluelinux.org>
> > To: David Correa <tech@linux-tech.com>
> > Subject: Re: Question about .eml files I am finding
> >
> > I am running PHP and a MyPHPnuke for a friend on that server. By the way
all
> > emails contain the readme.exe with the content type of a wav file which
if I
> > am not mistaken was a bi product of nimda?
>
> > ----- Original Message -----
> > From: David Correa <tech@linux-tech.com>
> > To: Matt Jezorek <matt@owsc.org>
> > Sent: Saturday, November 10, 2001 9:04 PM
> > Subject: Re: Question about .eml files I am finding
> >
> >
> > >
> > > Are you running PHP and PHPNuke?
> > > dc
> > >
> > > On Sat, 10 Nov 2001, Matt Jezorek wrote:
> > >
> > > > Date: Sat, 10 Nov 2001 20:20:55 -0500
> > > > From: Matt Jezorek <matt@owsc.org>
> > > > Reply-To: security-discuss@linuxsecurity.com
> > > > To: security-discuss@linuxsecurity.com
> > > > Subject: Question about .eml files I am finding
> > > >
> > > >
> > > > I am finding files on my filesystem mostly where apache has access
and I
> > have no clue why they are showing up on my server nor can I find any
> > information in my logs
> > > >
> > > > Here is the Directory Listing
>
> David Correa RHCE CCNA _ _ _ _ _ _ _ _ ___ ____ ____ _ _
> tech@linux-tech.com | | |\ | | | \/ | |___ | |__|
> http://www.linux-tech.com |___ | | \| |__| _/\_ | |___ |___ | |
>
>

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.