Full Disclosure mailing list archives
[SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection
From: pokley <pokleyzz () scan-associates net>
Date: Thu, 15 Apr 2004 02:18:31 +0800
Products: Postnuke v 0.726 (http://www.postnuke.com) Date: 15 April 2004 Author: pokleyzz <pokleyzz_at_scan-associates.net> Contributors:sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net URL: http://www.scan-associates.net Summary: Postnuke v 0.726 and below SQL injection Description =========== Postnuke is Web Content Management System written in PHP and using mysql as database backend. Details ======= We have found multiple vulnerabilities in Postnuke v 0.726 as described below. SQL Injection in NS-Comments module ----------------------------------- There is SQL injection in INSERT statement for variable "sid" in file modules/NS-Comments/index.php line 1142: VALUES ($nextid, ".pnVarPrepForStore($pid).", ".pnVarPrepForStore($sid).", now(), '".pnVarPrepForStore($uname)."', '".pnVarPrepForStore($email)."', '".pnVarPrepForStore($url)."', '".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."', '".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)"); This will allow Postnuke user with permission to post comment include anycharacter in their comment and perform XSS attack to steal other user cookies.
SQL Injection in NS-Your_Account module ---------------------------------------- There is SQL injection in UPDATE statement for variable "timezoneoffset" in file modules/NS-Your_Account/user/modules/changeinfo.php php line 334 and 354: $column[timezone_offset]=" . pnVarPrepForStore($timezoneoffset) . " This will allow Postnuke user to change information for other user account including Administrator password. Workaround ========== 1) modules/NS-Comments/index.php VALUES ($nextid, '".pnVarPrepForStore($pid)."', '".pnVarPrepForStore($sid)."', now(), '".pnVarPrepForStore($uname)."', '".pnVarPrepForStore($email)."', '".pnVarPrepForStore($url)."', '".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."', '".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)"); 2)modules/NS-Your_Account/user/modules/changeinfo.php $column[timezone_offset]='" . pnVarPrepForStore($timezoneoffset) . "' Proof of concept ================ [http://www.scan-associates.net/papers/post_nuker.php.txt] Vendor Response ===============05 February 2004 - security () postnuke com contacted through email. no response. 07 April 2004 - security () postnuke com contacted through email. no response.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection pokley (Apr 14)