[Full-Disclosure] [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection
From: pokley (pokleyzz_at_scan-associates.net)
Date: 04/14/04
- Previous message: Edward W. Ray: "[Full-Disclosure] RE: 1 patch for 1 vulnerabiliy for Linux and BSD? gunna try and sell us a bridge now too?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>, "full-disclosure@lists.netsys.com" <full-disclosure@lists.netsys.com> Date: Thu, 15 Apr 2004 02:18:31 +0800
Products: Postnuke v 0.726 (http://www.postnuke.com)
Date: 15 April 2004
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors:sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net
Summary: Postnuke v 0.726 and below SQL injection
Description
===========
Postnuke is Web Content Management System written in PHP and using mysql
as database backend.
Details
=======
We have found multiple vulnerabilities in Postnuke v 0.726 as described
below.
SQL Injection in NS-Comments module
-----------------------------------
There is SQL injection in INSERT statement for variable "sid" in file
modules/NS-Comments/index.php line 1142:
VALUES ($nextid, ".pnVarPrepForStore($pid).",
".pnVarPrepForStore($sid).", now(), '".pnVarPrepForStore($uname)."',
'".pnVarPrepForStore($email)."',
'".pnVarPrepForStore($url)."',
'".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
'".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");
This will allow Postnuke user with permission to post comment include any
character in their comment and perform XSS attack to steal other user
cookies.
SQL Injection in NS-Your_Account module
----------------------------------------
There is SQL injection in UPDATE statement for variable "timezoneoffset"
in file modules/NS-Your_Account/user/modules/changeinfo.php php line 334
and 354:
$column[timezone_offset]=" . pnVarPrepForStore($timezoneoffset) . "
This will allow Postnuke user to change information for other user account
including Administrator password.
Workaround
==========
1) modules/NS-Comments/index.php
VALUES ($nextid, '".pnVarPrepForStore($pid)."',
'".pnVarPrepForStore($sid)."', now(), '".pnVarPrepForStore($uname)."',
'".pnVarPrepForStore($email)."',
'".pnVarPrepForStore($url)."',
'".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
'".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");
2)modules/NS-Your_Account/user/modules/changeinfo.php
$column[timezone_offset]='" . pnVarPrepForStore($timezoneoffset) . "'
Proof of concept
================
[http://www.scan-associates.net/papers/post_nuker.php.txt]
Vendor Response
===============
05 February 2004 - security@postnuke.com contacted through email. no
response.
07 April 2004 - security@postnuke.com contacted through email. no
response.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Edward W. Ray: "[Full-Disclosure] RE: 1 patch for 1 vulnerabiliy for Linux and BSD? gunna try and sell us a bridge now too?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
