PHP-Nuke Input Validation Flaw in 'viewpage.php' Discloses Files on the System to Remote Users
|
|
SecurityTracker Alert ID: 1006377
|
|
SecurityTracker URL: http://securitytracker.com/id?1006377
|
|
CVE Reference: CVE-2003-1545
(Links to External Site)
|
Updated: Jul 7 2008
|
Original Entry Date: Mar 25 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 6.5
|
Description: An input validation flaw vulnerability was reported in PHP-Nuke. A remote user can view files on the system that are readable by the web server.
It is reported that a remote user can specify a file name via the 'viewpage.php' script to read the file with the privileges of the web server process:
http://[target]/viewpage.php?file=/etc/passwd
|
Impact: A remote user can view specified files on the system with the privileges of the web server.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.phpnuke.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Zero_X www.lobnan.de Team" <zero-x@linuxmail.org>
|
Message History:
None.
|
Source Message Contents
|
Date: 25 Mar 2003 16:32:07 -0000
From: "Zero_X www.lobnan.de Team" <zero-x@linuxmail.org>
Subject: PHPNuke viewpage.php allows Remote File retrieving
|
viewpage.php is a part of PHPNuke.
The Script allows an attacker to view all files on the System.
Example:
http://server.com/viewpage.php?file=/etc/passwd
Zero X member of www.Lobnan.de
|
|
