• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: PHPNuke Remote File Copy Vulnerability

Severity: HIGH

Description:

PHP Nuke is a website creation/maintenance tool written in PHP3.

PHP Nuke contains a vulnerability that may allow for remote attackers to overwrite files with custom data on target webservers. The vulnerability lies in an administrative component of the package, 'admin.php'.

When the script is requested with a value set for the 'upload' variable, it attempts a file copy using remotely-supplied HTML variables as the source and destination files. The script does not ensure that the user requesting the operation is an administrator. As a result, it is possible for remote users to overwrite arbitrary webserver writeable files with data from arbitrary webserver readable files. It is also possible to place arbitrary files in webserver writeable directories on the target filesystem.

Furthermore, remote attackers can upload files to the webserver. An attacker may be able to upload a custom file to the webserver, then overwrite an arbitrary webserver-writeable file with it's contents.

The destination file does not need to be in the webroot tree.

This vulnerability may allow for an attacker to gain access to the host, cause denial of service or deface the target website.

Versions of PostNuke, a derivative of PHP Nuke, are also reportedly vulnerable.

Affected Products:

• Francisco Burzi PHP-Nuke 1.0.0
• Francisco Burzi PHP-Nuke 2.5.0
• Francisco Burzi PHP-Nuke 3.0.0
• Francisco Burzi PHP-Nuke 4.0.0
• Francisco Burzi PHP-Nuke 4.3.0
• Francisco Burzi PHP-Nuke 4.4.0
• Francisco Burzi PHP-Nuke 4.4.1a
• Francisco Burzi PHP-Nuke 5.0.0
• Francisco Burzi PHP-Nuke 5.0.1
• Francisco Burzi PHP-Nuke 5.1.0
• Francisco Burzi PHP-Nuke 5.2.0
• Francisco Burzi PHP-Nuke 5.2.0a

References:

• Francisco Burzi: PHP-Nuke Product Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.