(Additional Vulnerability Information is Provided) Re: PHP-Nuke Lets Remote Users Upload Files to the Server and Copy Files on the Server, Yielding User Level Access on the Server

PHP-Nuke is a popular web portal creation system written in the PHP
language. Some PHP-Nuke versions has a security flaw that allow a
malicious user to copy and delete arbitrary files on the server machine.
If the malicious user are able to upload files to the web server using
some mechanism (e.g. anonymous FTP), he/she may be able to copy PHP
scripts to the web server document root and have then interpreted by the
scripting engine, which would allow he/she to run commands on the
machine remotely. Copying and deleting files will be subject to the
permissions of the user id the web server is running as. However it's a
common scenario to give the server write access to PHP-Nuke directories,
or at least some key files, so that site administration can be performed
using a web browser. This is explained in details on the PHP-Nuke
INSTALL file.

Detailed Description

The admin/case/case.filemanager.php script contains code to abort
execution if it is being called directly by the user, instead of being
included by the admin.php script. The code check if the string admin.php
is present anywhere on the $PHP_SELF PHP variable, as an indication that
the file is being included by the aforementioned script. Due to a bug in
PHP, a malicious user may insert the searched string on the $PHP_SELF
variable and thus make the test always pass. Together with the use of
automatic PHP global variables from query string parameters, this flaw
may be exploited to direct the script to copy and delete arbitrary files
on the server file system. For example, the following URL will exploit
the flaw to copy the file php-nuke-document-root/config.php to
/var/ftp/incoming/phpnuke-config.txt:

http://example.org/admin/case/case.filemanager.php/admin.php?op=move&confirm=1&do=copy&basedir=&file=../../config.php&
newfile=/var/ftp/pub/incoming/phpnuke-config.txt

The next example illustrates how a malicious user can copy a previously
uploaded file (/var/ftp/pub/incoming/foobar.gif) to a PHP script
(evil.php) under the web server document root:

http://example.org/admin/case/case.filemanager.php/admin.php?op=move&confirm=1&do=copy&basedir=&file=/var/ftp/pub/incoming/foobar.gif&newfile=evil.php

The following URL may be used to delete the file /tmp/foo on the server:

http://example.org/admin/case/case.filemanager.php/admin.php?op=del&confirm=1&basedir=&file=/tmp/foo

Note: The URLs were split into separate lines for formatting
reasons only. You must join the lines together to form the final URLs.

Impact

Remote users can copy and delete arbitrary files on the server system,
subject to web server user id restrictions.

Who is Affected

This flaw was found in PHP-Nuke 5.2. Other versions were not tested.

Note: Installations where the web server has no write access to the
web server document root are not safe. This vulnerability allow a
malicious user to access any directory on the server file system &mdash;
this can be used to copy sensitive system files (e.g. /etc/passwd, web
server basic authentication passwords, etc.) to places where they can be
latter retrieved using other mechanisms.

Solution/workarounds

This issue was explained in details in a mail sent to Francisco Burzi
<fbc@mandrakesoft.com> (the author of PHP-Nuke) on October 9, 2001, for
which we received no reply. A second mail was sent on October 17, 2001,
which wasn't replied either. We were not able to find any other contact
address on the PHP-Nuke web site. A final mail sent to some standard
contact address bounced.

Due to this, there's no official solution for this problem. A possible
workaround is to revoke access on the offending file to the web server
process; and/or use HTTP authentication to restrict access to the flawed
script, so that only trusted users may access it.

To deny file system access to the web server one may use the following
commands:

# cd php-nuke-document-root
# chmod 0 admin/case/case.filemanager.php

Consult your web server documentation to know how to restrict access to
that script based on login/password.

Additional Information

MASA:01-02:en Copyright © 2001 by Magnux Software, Rio de
Janeiro/Brazil. All rights reserved. This document may be copied and
distributed freely in electronic form, provided that you keep it
unchanged. Parts of it may be used unchanged and in electronic form only
without the need of explicitly author authorization, provided that
proper credits are given in the form "MASA:01-02:en from Magnux Software
(http://www.magnux.com/)". To copy or reprint the whole or any part of
this document in any other non-electronic medium, contact
<masa@magnux.com>.

The information in this document may change without notice. The
information contained in this document is provided for EDUCATIONAL
PURPOSE ONLY and without ANY WARRANTY. In no event shall the author be
liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.

This advisory and further updates, plus other advisories issued by
Magnux Software, can be found on the MASA Advisories Page on the Magnux
Software INTL web site. Question about Magnux Software may be sent to
<admin@magnux.com>. GPG keys are available at
http://www.magnux.com/gpg-keys.txt.

Go to the Top of This SecurityTracker Archive Page