Title: PHP Nuke Copying and Deleting Files Vulnerability
Severity: HIGH
Description:
PHP Nuke is a web portal creation and management package, implemented in the PHP scripting language. The default installation includes the script admin/case/case.filemanager.php, which can be used to copy and delete files on the server file system.
The script case.filemanager.php is designed such that it can only be called from the script admin.php, which is responsible for authentication of the remote user. This implementation is flawed, due to a bug in PHPs handling of the $PHP_SELF variable. It is possible for a remote user to include information in the url which is appended to the $PHP_SELF variable, allowing him to bypass this check.
By calling the script in this manner and passing arbitrary file names to the script, a remote user is able to copy and delete any file on the web server. This is subject to the user permissions the web server is running under.
The remote user may, for example, copy '/etc/passwd' over a file normally displayed by the web server, gaining access to sensitive information. If the remote user is able to upload files to the server, they may be able to copy them over a standard PHP Nuke script, and have arbitrary scripts executed by the web user.
Affected Products:
- Francisco Burzi PHP-Nuke 5.2.0
References:
- Francisco Burzi: PHP-Nuke Product Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
