[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5.1.0.14.2.20030121135845.05db99b8@yoshimo.webtechs.idg.nl>
From: msopacua at idg.nl (Melvyn Sopacua)
Subject: Re: php-nuke again ...
At 09:25 1/21/2003, Pawel Kaczor wrote:
>on wed, 15 jan 2003, karol wi?sek wrote:
>
> > snip from mailatach.php
> >
> > if (isset($userfile) and $userfile != "none") {
> > if (ini_get(file_uploads) and $attachments == 1) {
> > $updir = "tmp";
> > @copy($userfile, "$updir/$userfile_name");
> >
> > sample attack which allows an attacker to grab database password
> > and login.
> >
> > http://target.server/modules/webmail/mailattach.php?
> > userfile=../../config.php&userfile_name=../attachments/file.txt&
> > attachments=1
>
>i wasn't able to provide this attack succssefully but there's easy way of
>prevention - one can put those lines at the beginning of mailattach.php
>file:
>
>if (eregi("mailattach.php",$php_self)) {
> header("location: ../../index.php");
> die();
>}
Please - that is not a fix, but a delay of problems. $userfile should be
verified
as being an uploaded file. The best way is to break php3 compatibility, drop
the register_globals requirement and use the $_FILES array and/or functions
like is_uploaded_file, which are created for the purpose. This assumes that
the content and extension of the file is not important - ie user-input
validation,
which is the general implementation error plagueing php-nuke throughout the
entire source.
Given it's trackrecord, uninstalling php-nuke is probably the longterm
solution.
Met vriendelijke groeten / With kind regards,
Webmaster IDG.nl
Melvyn Sopacua
<@Logan> I spent a minute looking at my own code by accident.
<@Logan> I was thinking "What the hell is this guy doing?"
Powered by blists - more mailing lists