Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
(Additional Vulnerability Information is Provided) Re: PHP-Nuke Lets Remote Users Upload Files to the Server and Copy Files on the Server, Yielding User Level Access on the Server
SecurityTracker Alert ID: 1002716|
SecurityTracker URL: http://securitytracker.com/id/1002716
(Links to External Site)
Date: Nov 8 2001
Modification of system information, Modification of user information, User access via network|
Exploit Included: Yes |
Version(s): all versions except '5.0 RC1', an interim release|
A vulnerability was reported by twlc in PHP-Nuke. The security hole allows remote users to copy files on the system with the privileges of the web server and to upload files to the system.|
It is reported that the 'admin.php' administrative component of PHP-Nuke fails to check certain commands to see if the user is authenticated and has administrative privileges. This allows unauthorized users to issue commands, including file copy commands, via the FileManager() function.
The Magnux Software Advisory, provided in the Source Message, provides a good, clear description of the details of the vulnerability.
A remote user can upload files to the server and can copy files on the server with the privileges of the web server. This can allow a remote user to obtain user level access on the server.|
No vendor solution was available at the time of this entry.|
The author of the report recommends removing the FileManager function and using FTP to upload files instead of FileManager.
Vendor URL: www.phpnuke.org/ (Links to External Site)
Access control error, Authentication error|
Linux (Any), UNIX (Any)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Thu, 08 Nov 2001 14:57:55 -0500|
Subject: Copying and Deleting Files Using PHP-Nuke
MASA:01-02:en - Copying and Deleting Files Using PHP-Nuke
Magnux Software Advisory - $Date: 2001/11/05 18:57:50 $
PHP-Nuke is a popular web portal creation system written in the PHP
language. Some PHP-Nuke versions has a security flaw that allow a
malicious user to copy and delete arbitrary files on the server machine.
If the malicious user are able to upload files to the web server using
some mechanism (e.g. anonymous FTP), he/she may be able to copy PHP
scripts to the web server document root and have then interpreted by the
scripting engine, which would allow he/she to run commands on the
machine remotely. Copying and deleting files will be subject to the
permissions of the user id the web server is running as. However it's a
common scenario to give the server write access to PHP-Nuke directories,
or at least some key files, so that site administration can be performed
using a web browser. This is explained in details on the PHP-Nuke
The admin/case/case.filemanager.php script contains code to abort
execution if it is being called directly by the user, instead of being
included by the admin.php script. The code check if the string admin.php
is present anywhere on the $PHP_SELF PHP variable, as an indication that
the file is being included by the aforementioned script. Due to a bug in
PHP, a malicious user may insert the searched string on the $PHP_SELF
variable and thus make the test always pass. Together with the use of
automatic PHP global variables from query string parameters, this flaw
may be exploited to direct the script to copy and delete arbitrary files
on the server file system. For example, the following URL will exploit
the flaw to copy the file php-nuke-document-root/config.php to
The next example illustrates how a malicious user can copy a previously
uploaded file (/var/ftp/pub/incoming/foobar.gif) to a PHP script
(evil.php) under the web server document root:
The following URL may be used to delete the file /tmp/foo on the server:
Note: The URLs were split into separate lines for formatting
reasons only. You must join the lines together to form the final URLs.
Remote users can copy and delete arbitrary files on the server system,
subject to web server user id restrictions.
Who is Affected
This flaw was found in PHP-Nuke 5.2. Other versions were not tested.
Note: Installations where the web server has no write access to the
web server document root are not safe. This vulnerability allow a
malicious user to access any directory on the server file system —
this can be used to copy sensitive system files (e.g. /etc/passwd, web
server basic authentication passwords, etc.) to places where they can be
latter retrieved using other mechanisms.
This issue was explained in details in a mail sent to Francisco Burzi
<email@example.com> (the author of PHP-Nuke) on October 9, 2001, for
which we received no reply. A second mail was sent on October 17, 2001,
which wasn't replied either. We were not able to find any other contact
address on the PHP-Nuke web site. A final mail sent to some standard
contact address bounced.
Due to this, there's no official solution for this problem. A possible
workaround is to revoke access on the offending file to the web server
process; and/or use HTTP authentication to restrict access to the flawed
script, so that only trusted users may access it.
To deny file system access to the web server one may use the following
# cd php-nuke-document-root
# chmod 0 admin/case/case.filemanager.php
Consult your web server documentation to know how to restrict access to
that script based on login/password.
MASA:01-02:en Copyright © 2001 by Magnux Software, Rio de
Janeiro/Brazil. All rights reserved. This document may be copied and
distributed freely in electronic form, provided that you keep it
unchanged. Parts of it may be used unchanged and in electronic form only
without the need of explicitly author authorization, provided that
proper credits are given in the form "MASA:01-02:en from Magnux Software
(http://www.magnux.com/)". To copy or reprint the whole or any part of
this document in any other non-electronic medium, contact
The information in this document may change without notice. The
information contained in this document is provided for EDUCATIONAL
PURPOSE ONLY and without ANY WARRANTY. In no event shall the author be
liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.
This advisory and further updates, plus other advisories issued by
Magnux Software, can be found on the MASA Advisories Page on the Magnux
Software INTL web site. Question about Magnux Software may be sent to
<firstname.lastname@example.org>. GPG keys are available at
Go to the Top of This SecurityTracker Archive Page