pm.php direct access?!?

Nuke Soldier Joined: Mar 17, 2009 Posts: 14

I noticed every PM ever sent on our site is easily viewed by typing the pm.php directory location in a web browser. No registration is necessary.

Surely this is not supposed to work this way.

Site Admin Joined: Aug 17, 2003 Posts: 12482

What version are you using? No current phpNuke uses pm.php

Nuke Soldier Joined: Mar 17, 2009 Posts: 14

7.8

Site Admin Joined: Aug 17, 2003 Posts: 12482

Have an example? I don't see this in my files anywhere

Nuke Soldier Joined: Mar 17, 2009 Posts: 14

It was sitting in the /html directory.

Typing MYWEBSITE.com/pm.php would show the entire history.

I moved it. Everything still works.

Site Admin Joined: Aug 17, 2003 Posts: 12482

Good enough. This file isn't included anywhere in the phpNuke package Wink

Captain Joined: Sep 13, 2003 Posts: 355

I would guess that a hacker has uploaded pm.php to your site. Similar things happened to me when I used SpChat. Certain modules can be abused to upload things.

Nuke Soldier Joined: Mar 17, 2009 Posts: 14

Could be. One thing is certain. It was put there intentionally by someone.

Nuke Cadet Joined: Sep 03, 2008 Posts: 6

What version are you using?

Premium Joined: Jul 17, 2003 Posts: 49

I know this is a little late, but for future reference:

Check with your web host - this looks like a server security issue. Also check your web logs.

Captain Joined: Sep 13, 2003 Posts: 355

When you look in your accesslogs make a search in them for pm.php and you will maybe easy find how the hacker uploaded it.