NukeCops - PHP-Nuke admin.php security hole

You are missing our premiere tool bar navigation system! Register and use it for FREE!

Create an account

• Home • Downloads • Gallery • Your Account • Forums •

Readme First

- Readme First! -
Read and follow the rules, otherwise your posts will be closed

Modules

· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account

Who's Online

There are currently, 45 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here

PHP-Nuke admin.php security hole - PATCHED

Recently a security hole was announced in reference to an admin.php exploit where anyone can obtain PHP-Nuke administrator access. I've tested my patch the past couple days both here and at all the other sites with success. Its a quite simple patch in fact, here it is...

click here to see the code

This patch must be applied at the beginning of your admin.php code in order to be effective. It will also be implemented at our CVS site: cvs.nukecops.com tomorrow.

Admin Note: CVS file updated, code moved to a forum post as Nuke's filtering messes it if posted here.

Posted on Sunday, October 12 @ 22:37:44 CEST by Zhen-Xjell

Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED

Article Rating

Average Score: 2
Votes: 1

Options

Printer Friendly Page

Send to a Friend

The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: PHP-Nuke admin.php security hole - PATCHED (Score: 1)
by SuperCat on Sunday, October 12 @ 23:34:33 CEST
(User Info | Send a Message)

pasting that code into admin.php causes an error on this line:

if (preg_match("/?admin/", "$url")) {

Something about "nothing to compare to"

Re: PHP-Nuke admin.php security hole - PATCHED by Audioslaved on Sunday, October 12 @ 23:38:31 CEST
- Re: PHP-Nuke admin.php security hole - PATCHED by chatserv on Sunday, October 12 @ 23:45:36 CEST
  - Re: PHP-Nuke admin.php security hole - PATCHED by Zhen-Xjell on Sunday, October 12 @ 23:48:31 CEST

And how about this security hole in mailattach.php? (Score: 1)
by chris on Monday, October 13 @ 02:37:49 CEST
(User Info | Send a Message) http://www.karakas-online.de

From http://www.secunia.com/advisories/9954/ :

A vulnerability has been reported in PHP-Nuke allowing malicious users to upload and execute arbitrary files.

The vulnerability is caused due to the "mailattach.php" script in the WebMail part not verifying path information in the "userfile_name" parameter and the "modules.php" script allowing people to supply arbitrary files in the "file" parameter.

These two problems can combined be exploited to execute arbitrary code on a vulnerable system.

Example:
1) Upload a file where the "userfile_name" parameter is set to "../../AvantGo/language/evil.php".
2) Execute it using: /modules.php?name=AvantGo&file=language/evil

The vulnerability has been reported to affect PHP-Nuke on the Windows platform only.

Re: PHP-Nuke admin.php security hole - PATCHED (Score: 1)
by the on Thursday, July 24 @ 21:54:07 CEST
(User Info | Send a Message)

عقارات السعودية [www.ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد السعودية بجميع المدن بها عقار نت عقارات الأمارات [www.ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد الأمارات بجميع المدن بها عقار نت عقارات مصر [ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد مصر بجميع المدن بها عقار نت عقارات الكويت [ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد الكويت بجميع المدن بها عقار نت عقارت عمان [www.ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد عمان بجميع المدن بها عقار نت عقارات قطر [www.ekaar.net] عقارات شقق ومحلات واراضي ومكاتب بيع وشراء وايجار في بلد قطر بجميع المدن بها عقار نت عقارات ال

Read the rest of this comment...

Re: PHP-Nuke admin.php security hole - PATCHED (Score: 1)
by drhady on Monday, August 25 @ 17:08:51 CEST
(User Info | Send a Message)

الأمراض [www.3rbdr.com] الجهاز الهضمي [www.3rbdr.com] القلب [www.3rbdr.com]
الهضم [www.3rbdr.com] سرطان الثدى [www.3rbdr.com] طبيب [www.3rbdr.com]
طبيب دوت [www.3rbdr.com] المعدة [www.3rbdr.com] النقرس [www.3rbdr.com]
طبيب دوت كوم [www.3rbdr.com] طبيب العرب [www.3rbdr.com]
علاج السكر [www.3rbdr.com] القولون [www.3rbdr.com] السدر [www.3rbdr.com]
Medical videos [www.3rbdr.com] التمر الهندى [www.3rbdr.com]
الجهازالتنفسى [www.3rbdr.com] تشريح [www.3rbdr.com] علاج الشعر [www.3rbdr.com] دواء [www.3rbdr.com] الرحم [www.3rbdr.com] medical videos [www.medicalive.net] medical video [www.medicalvideo.info] weightloss [www.4weightloss.info] مسنجر بلس [www.3rbdr.com] ماسنجر بلس [www.3rbdr.com]

Powered by · TOGETHER TEAM srl ITALY http://www.togetherteam.it · DONDELEO E-COMMERCE http://www.DonDeLeo.com
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.129 Seconds - 224 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)

:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::