[Full-disclosure] Postnuke 0.750 - 0.760rc4 local file inclusion

From: pokley (pokleyzz_at_scan-associates.net)
Date: 05/16/05

  • Next message: Zainal Abidin Ahmad: "Fwd: [Full-disclosure] ZabaSearch.com XSS"
    Date: Mon, 16 May 2005 13:08:03 +0800
    To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>, "full-disclosure@lists.grok.org.uk" <full-disclosure@lists.grok.org.uk>
    
    

    Product : Postnuke 0.750 (http://www.postnuke.com)
    Description: Postnuke 0.750 - 0.760rc4 local file inclusion
    Severity: High

    Description
    ===========
    Postnuke is Web Content Management System written in PHP and using mysql
    as database backend.

    Detail
    ======

    Directory traversal in function pnModFunc
    -----------------------------------------

    We have found serious vulnerability which allow any user to view/include
    local file in function pnModFunc. This is due to lack of error checking in
    function pnModFunc when user supply func through index.php. func variable
    will sanitize using pnVarCleanFromInput which will remove any slashes
    before pass to pnModFunc in index.php. This make nullbyte poisoning
    possible. With the help from pnlang directory in Blocks module this
    vulnerability is very easy to exploit. Remote code execution also possible
    with help of 3rd party module which allow image upload or through
    accesible apache log file.

    --pnMod.php--
         } else {
         if(file_exists("modules/$modname/pn$type/$func.php"))
            {

                    require_once("modules/$modname/pn$type/$func.php");<-- THE PROBLEM

             return $modfunc($args);
            }
    -------------

    Proof of concept
    ================
    http://server.com/index.php?module=Blocks&type=lang&func=../../../../../../etc/passwd%00

    Fix
    ===
    Fix Available from postnuke cvs since 5th May 2005

    http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/includes/pnMod.php.diff?r1=1.47&r2=1.48

    http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/
    index.php.diff?r1=1.39&r2=1.40

    Vendor Response
    ===============
    3rd May 2005 - Vendor contacted
    4th May 2005 - Vendor Reply
    5th May 2005 - Fix Available

    Thanks
    ======
    Andreas Krapoh from postnuke for fast response in this issue.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Zainal Abidin Ahmad: "Fwd: [Full-disclosure] ZabaSearch.com XSS"