PostNuke Issues (0.726 && Possibly Older)

[JeiAr <security () gulftech org>]

Vendor  : PostNuke
URL     : http://www.postnuke.com
Version : PostNuke 0.726 Phoenix && Older(??)
Risk    : SQL Injection && XSS



Description:
Postnuke is a popular Open Source CMS (Content Managment System) used
by millions of people all across the world. 



SQL Injection:
SQL Injection is possible by passing unexpected data to the "sortby" variable
in the "members_list" module. This vulnerability may allow an attacker to
manipulate queries as well as view the full physical path of the postnuke
installation. This is due to user input not being properly sanatized.



Cross Site Scripting:
XSS is possible via the download module by injecting HTML or Script into the 
"ttitle" variable when viewing the details of an item for download. Example:

name=Downloads&file=index&req=viewdownloaddetails&lid=[VID]&ttitle="><iframe>

Where [VID] is should be the valid id number of a file for download. 



Solution:
An update has been released regarding the SQL Injection vulnerability. The XSS
vuln however will not be fixed until future releases of PostNuke as it is really
not possible to HiJack a users postnuke session, thus limiting the chances of
this being harmful to any users or administrators. Much respect to the postnuke
Dev team and especially Andreas Krapohl aka larsneo for being very prompt and 
professional about issuing a fix for this immediately. The fixed may be obtained
from the official PostNuke website at http://www.postnuke.com



Credits:
Credits go to JeiAr of the GulfTech Security Research Team.
http://www.gulftech.org



Hope everyone had a good Christmas/Hanukkah/Kwanza and a Happy New Year :o)