From masa@magnux.com Thu Nov 8 22:39:09 2001 From: masa@magnux.com To: BUGTRAQ Mailing List Date: Mon, 5 Nov 2001 17:19:45 -0200 (BRST) Subject: Copying and Deleting Files Using PHP-Nuke [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MASA:01-02:en - Copying and Deleting Files Using PHP-Nuke Magnux Software Advisory - $Date: 2001/11/05 18:57:50 $ Overview [1]PHP-Nuke is a popular web portal creation system written in [2]the PHP language. Some PHP-Nuke versions has a security flaw that allow a malicious user to copy and delete arbitrary files on the server machine. If the malicious user are able to upload files to the web server using some mechanism (e.g. anonymous FTP), he/she may be able to copy PHP scripts to the web server document root and have then interpreted by the scripting engine, which would allow he/she to run commands on the machine remotely. Copying and deleting files will be subject to the permissions of the user id the web server is running as. However it's a common scenario to give the server write access to PHP-Nuke directories, or at least some key files, so that site administration can be performed using a web browser. This is explained in details on the PHP-Nuke INSTALL file. Detailed Description The admin/case/case.filemanager.php script contains code to abort execution if it is being called directly by the user, instead of being included by the admin.php script. The code check if the string admin.php is present anywhere on the $PHP_SELF PHP variable, as an indication that the file is being included by the aforementioned script. Due to [3]a bug in PHP, a malicious user may insert the searched string on the $PHP_SELF variable and thus make the test always pass. Together with the use of automatic PHP global variables from query string parameters, this flaw may be exploited to direct the script to copy and delete arbitrary files on the server file system. For example, the following URL will exploit the flaw to copy the file php-nuke-document-root/config.php to /var/ftp/incoming/phpnuke-config.txt: http://example.org/admin/case/case.filemanager.php/admin.php?op=move& confirm=1&do=copy&basedir=&file=../../config.php& newfile=/var/ftp/pub/incoming/phpnuke-config.txt The next example illustrates how a malicious user can copy a previously uploaded file (/var/ftp/pub/incoming/foobar.gif) to a PHP script (evil.php) under the web server document root: http://example.org/admin/case/case.filemanager.php/admin.php?op=move& confirm=1&do=copy&basedir=&file=/var/ftp/pub/incoming/foobar.gif& newfile=evil.php The following URL may be used to delete the file /tmp/foo on the server: http://example.org/admin/case/case.filemanager.php/admin.php?op=del& confirm=1&basedir=&file=/tmp/foo Note: The URLs were split into separate lines for formatting reasons only. You must join the lines together to form the final URLs. Impact Remote users can copy and delete arbitrary files on the server system, subject to web server user id restrictions. Who is Affected This flaw was found in PHP-Nuke 5.2. Other versions were not tested. Note: Installations where the web server has no write access to the web server document root are _not safe_. This vulnerability allow a malicious user to access _any_ directory on the server file system -- this can be used to copy sensitive system files (e.g. /etc/passwd, web server basic authentication passwords, etc.) to places where they can be latter retrieved using other mechanisms. Solution/workarounds This issue was explained in details in a mail sent to Francisco Burzi <[4]fbc@mandrakesoft.com> (the author of PHP-Nuke) on October 9, 2001, for which we received no reply. A second mail was sent on October 17, 2001, which wasn't replied either. We were not able to find any other contact address on the PHP-Nuke web site. A final mail sent to some standard contact address bounced. Due to this, there's no official solution for this problem. A possible workaround is to revoke access on the offending file to the web server process; and/or use HTTP authentication to restrict access to the flawed script, so that only trusted users may access it. To deny file system access to the web server one may use the following commands: # cd php-nuke-document-root # chmod 0 admin/case/case.filemanager.php Consult your web server documentation to know how to restrict access to that script based on login/password. Additional Information MASA:01-02:en Copyright © 2001 by Magnux Software, Rio de Janeiro/Brazil. All rights reserved. This document may be copied and distributed freely in electronic form, provided that you keep it unchanged. Parts of it may be used unchanged and in electronic form only without the need of explicitly author authorization, provided that proper credits are given in the form "MASA:01-02:en from Magnux Software (http://www.magnux.com/)". To copy or reprint the whole or any part of this document in any other non-electronic medium, contact <[5]masa@magnux.com>. The information in this document may change without notice. The information contained in this document is provided for _EDUCATIONAL PURPOSE ONLY_ and without _ANY WARRANTY_. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. This advisory and further updates, plus other advisories issued by Magnux Software, can be found on the [6]MASA Advisories Page on the [7]Magnux Software INTL web site. Question about Magnux Software may be sent to <[8]admin@magnux.com>. GPG keys are available at [9]http://www.magnux.com/gpg-keys.txt. References 1. http://www.phpnuke.org/ 2. http://www.php.net/ 3. http://bugs.php.net/bug.php?id=13606 4. mailto:fbc@mandrakesoft.com 5. mailto:masa@magnux.com 6. http://intl.magnux.com/masa/ 7. http://intl.magnux.com/ 8. mailto:admin@magnux.com 9. http://www.magnux.com/gpg-keys.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE75uFwCd55iUBoMvYRAmvRAJ9VEtiS1rSl1b2Nwt8KJnFpA8u18wCgkLFE Tf/rFeoAMlF76vZcOkiGJK8= =xb3g -----END PGP SIGNATURE-----