PHP-Nuke has an input-validation vulnerability that can lead to execution of arbitrary PHP code hosted on another web server.
PHP-Nuke is a tool designed to ease web site creation and maintenance. PHP-Nuke includes a script named index.php, which uses PHP's include() function to execute a PHP file specified in the CGI variable named "file." If supplied an HTTP URL, PHP's include() function will request the file from web server as shown in the URL. Since the index.php script does not check if the "file" variable contains an HTTP URL before including the file, it can be made to execute arbitrary PHP code from any reachable web server.
A remote attacker can force the server to run arbitrary PHP source code, with the user same privileges as the PHP server process on the victim host.
Apply a patch
Upgrade to version 5.5 or later of PHP-Nuke.
Change PHP configuration
Thanks to Nopman for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-09-16|
|Date Last Updated:||2002-09-16 22:10 UTC|