Full Disclosure mailing list archives
Re: Re: php-nuke again ...
From: Melvyn Sopacua <msopacua () idg nl>
Date: Tue, 21 Jan 2003 14:07:00 +0100
At 09:25 1/21/2003, Pawel Kaczor wrote:
on wed, 15 jan 2003, karol wiêsek wrote:
> snip from mailatach.php
>
> if (isset($userfile) and $userfile != "none") {
> if (ini_get(file_uploads) and $attachments == 1) {
> $updir = "tmp";
> @copy($userfile, "$updir/$userfile_name");
>
> sample attack which allows an attacker to grab database password
> and login.
>
> http://target.server/modules/webmail/mailattach.php?
> userfile=../../config.php&userfile_name=../attachments/file.txt&
> attachments=1
i wasn't able to provide this attack succssefully but there's easy way of
prevention - one can put those lines at the beginning of mailattach.php
file:
if (eregi("mailattach.php",$php_self)) {
header("location: ../../index.php");
die();
}
Please - that is not a fix, but a delay of problems. $userfile should be verified
as being an uploaded file. The best way is to break php3 compatibility, drop the register_globals requirement and use the $_FILES array and/or functions like is_uploaded_file, which are created for the purpose. This assumes thatthe content and extension of the file is not important - ie user-input validation,
which is the general implementation error plagueing php-nuke throughout the entire source.Given it's trackrecord, uninstalling php-nuke is probably the longterm solution.
Met vriendelijke groeten / With kind regards, Webmaster IDG.nl Melvyn Sopacua <@Logan> I spent a minute looking at my own code by accident. <@Logan> I was thinking "What the hell is this guy doing?" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- php-nuke again ... Karol Więsek (Jan 15)
- Re: php-nuke again ... Pawel Kaczor (Jan 21)
- Message not available
- Re: Re: php-nuke again ... Melvyn Sopacua (Jan 21)
