[Full-Disclosure] [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection

From: pokley (pokleyzz_at_scan-associates.net)
Date: 04/14/04

  • Next message: Edward W. Ray: "RE: [Full-Disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011"
    To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>, "full-disclosure@lists.netsys.com" <full-disclosure@lists.netsys.com>
    Date: Thu, 15 Apr 2004 02:18:31 +0800
    
    

    Products: Postnuke v 0.726 (http://www.postnuke.com)
    Date: 15 April 2004
    Author: pokleyzz <pokleyzz_at_scan-associates.net>
    Contributors:sk_at_scan-associates.net
    shaharil_at_scan-associates.net
    munir_at_scan-associates.net
    URL: http://www.scan-associates.net

    Summary: Postnuke v 0.726 and below SQL injection

    Description
    ===========
    Postnuke is Web Content Management System written in PHP and using mysql
    as database backend.

    Details
    =======
    We have found multiple vulnerabilities in Postnuke v 0.726 as described
    below.

    SQL Injection in NS-Comments module
    -----------------------------------
    There is SQL injection in INSERT statement for variable "sid" in file
    modules/NS-Comments/index.php line 1142:

                              VALUES ($nextid, ".pnVarPrepForStore($pid).",
    ".pnVarPrepForStore($sid).", now(), '".pnVarPrepForStore($uname)."',
    '".pnVarPrepForStore($email)."',
                                                        '".pnVarPrepForStore($url)."',
    '".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
    '".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");

    This will allow Postnuke user with permission to post comment include any
    character in their comment and perform XSS attack to steal other user
    cookies.

    SQL Injection in NS-Your_Account module
    ----------------------------------------
    There is SQL injection in UPDATE statement for variable "timezoneoffset"
    in file modules/NS-Your_Account/user/modules/changeinfo.php php line 334
    and 354:

       $column[timezone_offset]=" . pnVarPrepForStore($timezoneoffset) . "

    This will allow Postnuke user to change information for other user account
    including Administrator password.

    Workaround
    ==========
    1) modules/NS-Comments/index.php

                              VALUES ($nextid, '".pnVarPrepForStore($pid)."',
    '".pnVarPrepForStore($sid)."', now(), '".pnVarPrepForStore($uname)."',
    '".pnVarPrepForStore($email)."',
                                                        '".pnVarPrepForStore($url)."',
    '".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
    '".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");

    2)modules/NS-Your_Account/user/modules/changeinfo.php

    $column[timezone_offset]='" . pnVarPrepForStore($timezoneoffset) . "'

    Proof of concept
    ================
    [http://www.scan-associates.net/papers/post_nuker.php.txt]

    Vendor Response
    ===============
    05 February 2004 - security@postnuke.com contacted through email. no
    response.
    07 April 2004 - security@postnuke.com contacted through email. no
    response.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Edward W. Ray: "RE: [Full-Disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011"

    Relevant Pages