If you are like me and want to have a nice-looking, easy to manage dynamic website then PHPNuke is arguably the most popular out there. It installs, configures and runs very well on Mac OS X. However there a few security issues that you need to be aware of and this is all about how to secure your PHPNuke powered site.
Read the rest of this article for some ideas on how to secure PHPNuke against hackers...
This article is not intended to teach you how to hack into PHPNuke but how to secure it properly. Again this is NOT a license for you to poke around sites where you don't belong but I digress...
If you are like me and want to have a nice-looking, easy to manage dynamic website then PHPNuke is arguably the most popular out there. It installs, configures and runs very well on Mac OS X. However there a few security issues that you need to be aware of and this is all about how to secure your PHPNuke powered site.
Read the rest of this article for some ideas on how to secure PHPNuke against hackers...
I've been running PHPNuke since September of last year and it has performed for me flawlessly. Recently though, the site was hacked. Thus began my journey to discover the holes the hacker was using.
Since our site is small and would not gather too much attention I never really worried too much about pluggin everything. Besides, I have an cron job that backs up the web root and MySQL database and copies the whole thing off-site. So in the event of a catastrophe I could get it back and running in no time. Not really an excuse but just common sense with vital data.
Anyhow, thanks to Apache's logging I was able to discover the time and file(s) the hacker changed. Furtunatly for me the only file munged was the default index.php file in the web root. But here is what I found after doing some searches on the net...
PHPNuke has a very serious hole...it allows you to 'cp' any file on the box... or even upload files!
Let me explain the bug... admin.php contains this routine:
$basedir = dirname($SCRIPT_FILENAME);That routine doesnt do a check to see if you are logged as admin or not. Thus by careful manipulation of a URL you can COPY ANY FILE and call it up in the web browser or upload your own file (more on this in a bit)
$textrows = 20;
$textcols = 85;
$udir = dirname($PHP_SELF);
if(!$wdir) $wdir="/";
if($cancel) $op="FileManager";
if($upload) {
copy($userfile,$basedir.$wdir.$userfile_name);
$lastaction = ""._UPLOADED." $userfile_name --> $wdir";
include("header.php");
GraphicAdmin($hlpfile);
html_header();
displaydir();
$wdir2="/";
chdir($basedir . $wdir2);
CloseTable();
include("footer.php");
Header("Location: admin.php?op=FileManager");
exit;
}
Example:
http://www.yourdomain.com/admin.php?upload=1 & file=config.php & file_name=hacked.txt & wdir=/images/ & userfile=config.php & userfile_name=hacked.txt [spaces added to improve readability and allow line breaks].
The admin 'login' page will be prompted just go to http://www.yourdomain.com/images/hacked.txt and you will see config.php that as everyone knows contain the SQL passwords. This way the hacker could get in and manupulate the SQL server!
Solution:
The most effective way to remove the security hole is to comment out the upload function in admin.php. You will lose the ability to use the built-in filemanager in PHPNuke but you're better off using FTP or SSH to do those kinds of functions.
Comment out the upload function like this:
if($upload) {
// copy($userfile,$basedir.$wdir.$userfile_name);
// $lastaction = ""._UPLOADED." $userfile_name --> $wdir";
// include("header.php");
// GraphicAdmin($hlpfile);
// html_header();
// displaydir();
// $wdir2="/";
// chdir($basedir . $wdir2);
// CloseTable();
// include("footer.php");
// Header("Location: admin.php?op=FileManager");
exit;
} You can use pico to do this (pico admin.php and seach for upload (command-w). Save it back out (control-o) and quit (control-x). This will effectively disable the security hole. You can even go one step further if you wish to display a message to would-be script kiddies:if($upload) {
echo "Uploading facility removed from this site. Script kiddies are not welcome."
;
exit;
} OK, so I plugged the hole. I thought I was safe. But I was hacked again!
This time I missed a file the hacker had uploaded into my web root by exploiting this flaw before I disabled it.
The little file was just sitting there... phpshell.php
phpshell uses PHP to act as a shell on your web server. This effectively by-passes SSH and Telnet. The hacker can call up phpshell in a web browser and command away to his heart's desire. In my case a simple text redirection into index.php was enough to deface the site!
I also was dumb enough to leave all the files in the web root set to 777 which allowed any file to be overwritten. I changed that in a hurry. Unless you change the files quite a bit, set them all to 644 like this:
chmod -R 644 *and change all the directories to 777 like this:
chmod -R 777 */So in the end I changed all my passwords, permissions and disabled the upload funtion of admin.php and even removed the links.filemanamger.php in ./admin/links/
If you don't wat script kiddies playing around in your PHPNuke site then go the extra mile and learn to secure it properly!

