Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection

From: pokley <pokleyzz () scan-associates net>
Date: Thu, 15 Apr 2004 02:18:31 +0800
Products: Postnuke v 0.726 (http://www.postnuke.com)
Date: 15 April 2004
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors:sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: Postnuke v 0.726 and below SQL injection

Description
===========
Postnuke is Web Content Management System written in PHP and using mysql
as database backend.

Details
=======
We have found multiple vulnerabilities in Postnuke v 0.726 as described
below.

SQL Injection in NS-Comments module
-----------------------------------
There is SQL injection in INSERT statement for variable "sid" in file
modules/NS-Comments/index.php line 1142:


                         VALUES ($nextid, ".pnVarPrepForStore($pid).",
".pnVarPrepForStore($sid).", now(), '".pnVarPrepForStore($uname)."',
'".pnVarPrepForStore($email)."',
                                                   '".pnVarPrepForStore($url)."',
'".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
'".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");


This will allow Postnuke user with permission to post comment include any
character in their comment and perform XSS attack to steal other user cookies. 

SQL Injection in NS-Your_Account module
----------------------------------------
There is SQL injection in UPDATE statement for variable "timezoneoffset"
in file modules/NS-Your_Account/user/modules/changeinfo.php php line 334
and 354:

  $column[timezone_offset]=" . pnVarPrepForStore($timezoneoffset) . "

This will allow Postnuke user to change information for other user account
including Administrator password.

Workaround
==========
1) modules/NS-Comments/index.php

                         VALUES ($nextid, '".pnVarPrepForStore($pid)."',
'".pnVarPrepForStore($sid)."', now(), '".pnVarPrepForStore($uname)."',
'".pnVarPrepForStore($email)."',
                                                   '".pnVarPrepForStore($url)."',
'".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
'".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");

2)modules/NS-Your_Account/user/modules/changeinfo.php

$column[timezone_offset]='" . pnVarPrepForStore($timezoneoffset) . "'

Proof of concept
================
[http://www.scan-associates.net/papers/post_nuker.php.txt]

Vendor Response
===============
05 February 2004 - security () postnuke com contacted through email. no response. 07 April 2004 - security () postnuke com contacted through email. no response. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: