[UNIX] Multiple Vulnerabilities In phProfession Module For PostNuke
From: SecuriTeam (support_at_securiteam.com)
Date: 04/25/04
- Previous message: SecuriTeam: "[UNIX] Protector System Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 25 Apr 2004 19:07:27 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities In phProfession Module For PostNuke
------------------------------------------------------------------------
SUMMARY
<http://sourceforge.net/projects/profession/> phProfession is "a job
board script. There are two types of phPro - a standalone version and a
PostNuke module. Support for standalone versions has been discontinued.
This project supports only the PostNuke module starting from version 3.0."
The module suffers from several types of vulnerabilities including full
path disclosure, cross-site scripting and SQL injections.
DETAILS
Vulnerable Systems:
* phprofession version 2.5, possibly prior
Full path disclosure
By requesting the following URL:
http://localhost/postnuke0726/modules/phprofession/upload.php
The following PHP error message will be displayed:
Warning: main(header.php): failed to open stream: No such file or
directory in
D:\apache_wwwroot\postnuke0726\modules\phprofession\upload.php on line 19
Warning: main(): Failed opening 'header.php' for inclusion
(include_path='.;c:\php4\pear') in
D:\apache_wwwroot\postnuke0726\modules\phprofession\upload.php on line 19
..
Cross-site scripting
The 'jcode' variable used by the upload module is not properly sanitized
allowing an attacker to perform a cross-site scripting vulnerability:
http://localhost/postnuke0726/modules.php?op=modload&name=phprofession&file=upload&jcode=[xsscode here]
SQL Injection
Due to improper filtering of the parameters received by the product an SQL
injection occurs whenever additional SQL commands are entered into the
offset variable.
An example URL that performs such an injection:
http://localhost/postnuke0726/modules.php?op=modload&name=phprofession&file=index&offset=foobar
ADDITIONAL INFORMATION
The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
Vind.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Protector System Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
