lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3E25B14B.66CCC670@bsquad.sm.pl>
From: appelast at bsquad.sm.pl (Karol Więsek)
Subject: php-nuke again ...

-----BEGIN PGP SIGNED MESSAGE-----

I. BACKGROUND

PHP-Nuke is a popular Web portal system.

Project homepage : http://www.phpnuke.org

II. DESCRIPTION

Remote attacker could transfer to server his own file or copy
arbitrary file from system to accessible directory. The result
of such acts could be remote execution commands under privileges
of httpd server, or retrieving important information such as 
database login and password. Attacker even don't have to be 
registered user to make an attack,but needs writable directory.

The crux of the problem lies in WebMail module, and exactly
int mailattach.php file. This Module is default attached to
PHP-nuke 6.0 ( current ). And even this module don't have to be
active to make an attack successful, because it can be accessed
directly ( no modules.php in $PHP_SELF check present in this file).

snip from mailatach.php

if (isset($userfile) AND $userfile != "none") {
    if (ini_get(file_uploads) AND $attachments == 1) {
	$updir = "tmp";
	@copy($userfile, "$updir/$userfile_name");

Sample attack which allows an attacker to grab database password
and login.

http://target.server/modules/WebMail/mailattach.php?
userfile=../../config.php&userfile_name=../attachments/file.txt&
attachments=1

Using mailattach.php attacker could upload file with any extension,
which allow him to upload any .php file and execute arbitrary PHP
code.

To successfully exploiting this vulnerability writable directory is
needed.
When module is active, the tmp and attachmenst should be writable to
allow 
module work properly. 

III. ANALYSIS

Remote exploitation allows an attacker to execute arbitrary 
commands and code under the privileges of the web server. This also
opens the door to privilege escalation attacks. Attacker could also
debug httpd child processes and grab secret information like users
pop3 passwords used to authentication to remote pop3 server in
WebMail
module. Having database password he also has access to all
information
about users.

IV. DETECTION

PHP-nuke 6.0 with WebMail 0.9.3 is confirmed vulnerable.

- -- 
Karol Wi?sek [appelast-at-bsquad.sm.pl]

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Bear Software, LLC,  http://bear-software.freeservers.com

iQCVAwUBPiWjO0KKOIVhErCVAQFW0AQAsxm9rEwQtGj+VTx0TSqjexCIVT3Z4YMi
spBSb4v3YtY7nV8KplH4aFhxg54Rhl5IfqjHQqR0B+9rbOifrNnr5mCnspPFJqE6
mybb77loL52ix1+eIuFi+fv5tKYs8IGKP0cEoBokGB2PsxUwRSdJeI4FFK3uZ7sI
XbaBKSCo8fQ=
=rg6d
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ