Re: Possible bug in PHPNuke and other CMS

To: Luca Falavigna <fala83@xxxxxxxxx>, Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: Possible bug in PHPNuke and other CMS
From: Alexander GQ Gerasiov <bugtaq@xxxxxxxx>
Date: Tue, 1 Jun 2004 08:50:47 +0400
In-reply-to: <40B9F55E.9050402@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Home
References: <40B9F55E.9050402@xxxxxxxxx>

Hello Luca,

Sunday, May 30, 2004 you wrote:

LF> -----BEGIN PGP SIGNED MESSAGE-----
LF> Hash: SHA1

LF> There is a vulnerability in PHPNuke that permits execution of arbitrary
LF> SQL queries on a database located in the same server of an attacker's
LF> account. This is the procedure: first of all attacker must create a
LF> symlink pointing to victim's db directory in PHPNuke home directory
LF> because of mainfile.php include method. After that he can build a simple
LF> php code executing a query to the PHPNuke database. Here is an example:

I'm sure that such problems must be fixed not with some hacks like
yours (checking domain name), but with webserver configuration (uid
and permissions, php abilities (like safe mode or open_base_dir
option) etc.)

-- 
Best regards,
 Alexander GQ Gerasiov <bugtaq@xxxxxxxx>

Follow-Ups:
- Re: Possible bug in PHPNuke and other CMS
  - From: Luca Falavigna

References:
- Possible bug in PHPNuke and other CMS
  - From: Luca Falavigna

Prev by Date: Re: [Full-Disclosure] Possible bug in PHPNuke and other CMS
Next by Date: Re: LinkSys WRT54G administration page availble to WAN
Previous by thread: Re: [Full-Disclosure] Possible bug in PHPNuke and other CMS
Next by thread: Re: Possible bug in PHPNuke and other CMS
Index(es):
- Date
- Thread