 |
|
 |
|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 168 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Possible bug in PHPNuke and other CMS |
|
 JeanClaude writes "Source: SECURITY FOCUS
There is a vulnerability in PHPNuke that permits execution of arbitrary
SQL queries on a database located in the same server of an attacker's
account.
This is the procedure: first of all attacker must create a
symlink pointing to victim's db directory in PHPNuke home directory
because of mainfile.php include method.
After that he can build a simple
php code executing a query to the PHPNuke database.
Here is an example:
---------------------[CODE]-------------------
require_once ("/location_of_victim's_PHPNuke/mainfile.php");
$sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors");
while($record = $db->sql_fetchrow($sql))
~ echo "Username: $record[aid]
Password: $record[pwd]
";
unset($sql);
?>
-------------------------[/CODE]-----------------
Queries are executed normally because config.php (which is included by
mainfile.php) provides the information in order to connect to the chosen
database. This is a very easy way to deface PHPNuke-based websites or
adding and removing users, and so on.
This "homemade patch" goes in config.php, just below connection
variables. It checks domain name provided by web server with the one
provided by the user and grants execution of SQL queries only if domain
names match. Here is the code:
---------------------------[CODE]--------------------
$domainname = "www.example.com";
if ($_SERVER['SERVER_NAME'] != $domainname ) {
~ echo "Access denied";
~ die();
}
---------------------------[/CODE]--------------------
"
|
|
Posted on Saturday, June 05 @ 12:23:41 CEST by IACOJ |
|
|
|
|
| |
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Possible bug in PHPNuke and other CMS (Score: 1)
by MGCJerry on Saturday, June 05 @ 13:51:42 CEST
(User Info | Send a Message) | This isnt necessarily a bug in PHP-Nuke or other CMS systems. This is a sign of a host/server admin who has not secured the server properly and has not read any security tips.
If you have a host that has this problem, nuke *is* the least of your worries.
Under a properly secured server, doing this is not possible. ;)
Solution:
Find a new host. Adding this code into your site is only putting a band-aid on a slit throat. |
| | | | |
Re: Possible bug in PHPNuke and other CMS (Score: 1)
by MrFluffy on Saturday, June 05 @ 14:02:00 CEST
(User Info | Send a Message) http://www.conrads-berlin.de | I have changed that to
---------------------------[CODE]--------------------
$domainname = "domain.com";
$fulldomainname = "www.domain.com";
if ($_SERVER['SERVER_NAME'] != $domainname && $_SERVER['SERVER_NAME'] != $fulldomainname) {
echo "Access denied";
die();
}
---------------------------[/CODE]--------------------
... to be able to acces via the TLD, also the '~' gave me syntax errors.
Does that weaken the fix?
|
| | | | |
Re: Possible bug in PHPNuke and other CMS (Score: 1)
by chican0 on Saturday, June 05 @ 21:32:46 CEST
(User Info | Send a Message) http://www.soychicano.com | OOoohhh. This is a huge vunerability for your host. The server is considered to have a big security hole in it if php open_basedir Protection is not enabled. Php's open_basedir protection prevents users from opening files outside of their home directory with php.
If this is a problem, then it may be possible for an attacker to install unwanted processes and malicious scripts onto the server.
If I were you, I would quickly notify your host of the problem and tell them to secure thier box. |
| | | | | |
|
