This article is not intended to teach you how to hack into PHPNuke but how to secure it properly. Again this is NOT a license for you to poke around sites where you don't belong but I digress...
If you are like me and want to have a nice-looking, easy to manage dynamic website then PHPNuke is arguably the most popular out there. It installs, configures and runs very well on Mac OS X. However there a few security issues that you need to be aware of and this is all about how to secure your PHPNuke powered site.
Read the rest of this article for some ideas on how to secure PHPNuke against hackers...
This article is not intended to teach you how to hack into PHPNuke but how to secure it properly. Again this is NOT a license for you to poke around sites where you don't belong but I digress...
If you are like me and want to have a nice-looking, easy to manage dynamic website then PHPNuke is arguably the most popular out there. It installs, configures and runs very well on Mac OS X. However there a few security issues that you need to be aware of and this is all about how to secure your PHPNuke powered site.
Read the rest of this article for some ideas on how to secure PHPNuke against hackers...
I've been running PHPNuke since September of last year and it has performed for me flawlessly. Recently though, the site was hacked. Thus began my journey to discover the holes the hacker was using.
Since our site is small and would not gather too much attention I never really worried too much about pluggin everything. Besides, I have an cron job that backs up the web root and MySQL database and copies the whole thing off-site. So in the event of a catastrophe I could get it back and running in no time. Not really an excuse but just common sense with vital data.
Anyhow, thanks to Apache's logging I was able to discover the time and file(s) the hacker changed. Furtunatly for me the only file munged was the default index.php file in the web root. But here is what I found after doing some searches on the net...
PHPNuke has a very serious hole...it allows you to 'cp' any file on the box... or even upload files!
Let me explain the bug... admin.php contains this routine:
$basedir = dirname($SCRIPT_FILENAME);That routine doesnt do a check to see if you are logged as admin or not. Thus by careful manipulation of a URL you can COPY ANY FILE and call it up in the web browser or upload your own file (more on this in a bit)
$textrows = 20;
$textcols = 85;
$udir = dirname($PHP_SELF);
if(!$wdir) $wdir="/";
if($cancel) $op="FileManager";
if($upload) {
copy($userfile,$basedir.$wdir.$userfile_name);
$lastaction = ""._UPLOADED." $userfile_name --> $wdir";
include("header.php");
GraphicAdmin($hlpfile);
html_header();
displaydir();
$wdir2="/";
chdir($basedir . $wdir2);
CloseTable();
include("footer.php");
Header("Location: admin.php?op=FileManager");
exit;
}
if($upload) {
// copy($userfile,$basedir.$wdir.$userfile_name);
// $lastaction = ""._UPLOADED." $userfile_name --> $wdir";
// include("header.php");
// GraphicAdmin($hlpfile);
// html_header();
// displaydir();
// $wdir2="/";
// chdir($basedir . $wdir2);
// CloseTable();
// include("footer.php");
// Header("Location: admin.php?op=FileManager");
exit;
} You can use pico to do this (pico admin.php and seach for upload (command-w). Save it back out (control-o) and quit (control-x). This will effectively disable the security hole. You can even go one step further if you wish to display a message to would-be script kiddies:if($upload) {
echo "Uploading facility removed from this site. Script kiddies are not welcome."
;
exit;
} OK, so I plugged the hole. I thought I was safe. But I was hacked again!
chmod -R 644 *and change all the directories to 777 like this:
chmod -R 777 */So in the end I changed all my passwords, permissions and disabled the upload funtion of admin.php and even removed the links.filemanamger.php in ./admin/links/
Mac OS X Hints
http://hints.macworld.com/article.php?story=2002010820345221