PostNuke Bugged

[Scott <rootkidd () email com>]

Hi everyone,

this post is 4 weeks after the original information was 
made available to the developers, allowing time for 
many effected users to patch and also the 
developers to fix / check newer versions.

---------

rookidd found another set of vulnerabilities in 
postnuke, this time in version 7.0.3 and bellow. 

www.postnuke.com

This software will allow anyone to produce an 
interactive website for their users. Sadly, due to the 
nature of this software, user input validation is not 
done correctly. This is serious as ALL websites 
running postnuke prior to todays CVS version are 
vulnerable. While CSS bugs are well known and wide 
spread, it seems that many such sites are still falling 
victim.

The particular issues allows a user to craft special 
URL's by using postnuke.com or any derived website 
and then force a script enabled browser to run hostile 
code or other trickeries. It is also possible to steal a 
users login session details and passwords. 

 Rootkidd can now post this as apparently the 
software, accoring to the Postnuke developers has 
been fixed in their latest CVS version, which was 
created today, 02/03/02. However, many sites using it 
however are still unpatched. Please update!! 

There are many more bugs that those that follow. 

-Example 

http://one_of_100's_of_sites/modules.php? 
op=modload&name=<iframe%
20src="http://www.microsoft.com";> <-- this is 
funny :o) 

http://one_of_100's_of_sites/index.php?
catid=&lt;script&gt;alert 
(document.cookie)&lt;/script&gt; 

The cookie details are displayed on the page as well 
as in an alert window which could lead to a 
users account being compromised.

The bellow text will be shown on the web page once 
run.

PHPLive New! 
alert(document.cookie)&unique=1015076420651 
border=0 
alt='Click for Live Support!'> 

We also get some cool information from site that we 
should 
not- 

DB Error: getArticles: 1064: You have an error in your 
SQL syntax near '= ORDER BY nuke_stories.sid 
DESC 
LIMIT 1' at line 23 

We also get a fully qualified path to the files we hack, 
allowing one to guess OS type and other such things.

There are many bugs similar to these with pages 
other 
than the examples shown. Most people think it is just 
modules.php but this is NOT the case. 

This is an example of some other info's that can be 
retrieved-

22/03/2002,19:32 "Fehler auf /index.php?
xcontentmode= -> -> /index.php (linked on ) 
Datenbankfehler: You have an error in your SQL 
syntax near 'and scoresum>="30" order by changed 
desc ' at line 1 Offending command was: select 
name,id,changed,created,type,user,downloads,score
sum,status,preview1,commentscount from content 
and scoresum>="30" order by changed desc " 
Error: "" Request:"/index.php?xcontentmode=" 
Method:"GET" Agent:"Mozilla/4.0 (compatible; MSIE 
6.0; Windows NT 5.0; T312461)" IP:"0.0.0.0" 
Port:"32069" \n

22/03/2002,19:32 "Fehler auf /index.php?
xcontentmode= -> -> /index.php (linked on ) 
Datenbankfehler: You have an error in your SQL 
syntax near 'and scoresum>="30" order by changed 
desc limit 0,10' at line 1 Offending command was: 
select 
name,id,changed,created,type,user,downloads,score
sum,status,preview1,commentscount from content 
and scoresum>="30" order by changed desc limit 
0,10 " Error: "" Request:"/index.php?xcontentmode=" 
Method:"GET" Agent:"Mozilla/4.0 (compatible; MSIE 
6.0; Windows NT 5.0; T312461)" IP:"0.0.0.0" 
Port:"32069" \n



Fix-


Visit postnuke.com & trollix.com for a patch script, 
upgrade your postnuke version, use "strip_tags
($Evil_halt, "acceptable html ");", filter unwanted code 
being passed to the server, add <>, cookie and other 
such characters / words to your snort config and 
finaly DISABLE error reporting in php.ini.


http://sourceforge.net/tracker/index.php?
func=detail&aid=524777&group_id=27927&atid=3922
28


----

 Rootkidd thinks that all php based sites are at risk, 
have found many bugs with phpnuke that are almost 
identical, path disclosure, css, csrf, sql statements 
and many more nice things.

 This is rootkidd's first post to Bugtraq as always tried 
to keep bug releases to own site only, have removed 
site and removed this method of informing people.

Thanks, and happy hacking.