lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: msopacua at idg.nl (Melvyn Sopacua) Subject: Re: php-nuke again ... At 09:25 1/21/2003, Pawel Kaczor wrote: >on wed, 15 jan 2003, karol wi?sek wrote: > > > snip from mailatach.php > > > > if (isset($userfile) and $userfile != "none") { > > if (ini_get(file_uploads) and $attachments == 1) { > > $updir = "tmp"; > > @copy($userfile, "$updir/$userfile_name"); > > > > sample attack which allows an attacker to grab database password > > and login. > > > > http://target.server/modules/webmail/mailattach.php? > > userfile=../../config.php&userfile_name=../attachments/file.txt& > > attachments=1 > >i wasn't able to provide this attack succssefully but there's easy way of >prevention - one can put those lines at the beginning of mailattach.php >file: > >if (eregi("mailattach.php",$php_self)) { > header("location: ../../index.php"); > die(); >} Please - that is not a fix, but a delay of problems. $userfile should be verified as being an uploaded file. The best way is to break php3 compatibility, drop the register_globals requirement and use the $_FILES array and/or functions like is_uploaded_file, which are created for the purpose. This assumes that the content and extension of the file is not important - ie user-input validation, which is the general implementation error plagueing php-nuke throughout the entire source. Given it's trackrecord, uninstalling php-nuke is probably the longterm solution. Met vriendelijke groeten / With kind regards, Webmaster IDG.nl Melvyn Sopacua <@Logan> I spent a minute looking at my own code by accident. <@Logan> I was thinking "What the hell is this guy doing?" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists