[UNIX] Multiple Vulnerabilities in PostNuke Phoenix
From: SecuriTeam (support_at_securiteam.com)
Date: 04/28/04
- Previous message: SecuriTeam: "[EXPL] Metasploit Microsoft IIS SSL PCT Module"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 28 Apr 2004 18:24:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in PostNuke Phoenix
------------------------------------------------------------------------
SUMMARY
" <http://noc.postnuke.com/> PostNuke is an open source, open developement
content management system (CMS). PostNuke started as a fork from PHPNuke
(http://www.phpnuke.org) and provides many enhancements and improvements
over the PHP-Nuke system. PostNuke is still undergoing development but a
large number of core functions are now stabilising and a complete API for
third-party developers is now in place."
The vulnerabilities found in PostNuke Phoenix are full path disclosure and
cross-site scripting.
DETAILS
Vulnerable Systems:
* PostNuke version 0.726 (Phoenix)
Full Path Disclosure
All blocks in the '/include/blocks/' directory reveal their true path if
they are access directly (without the proper parameters).
Example:
Accessing the following URL:
http://localhost/postnuke0726/includes/blocks/finclude.php, will reveal:
Fatal error: Call to undefined function: pnsecaddschema() in
D:\apache_wwwroot\postnuke0726\includes\blocks\finclude.php on line 44
Other scripts are also vulnerable:
http://localhost/postnuke0726/pnadodb/drivers/adodb-access.inc.php
http://localhost/postnuke0726/modules/NS-NewUser/user.php
http://localhost/postnuke0726/modules/NS-Your_Account/user/links/links.changehome.php
http://localhost/postnuke0726/modules/NS-Your_Account/user/case/case.changehome.php?op=edithome
http://localhost/postnuke0726/modules/NS-LostPassword/user.php
http://localhost/postnuke0726/modules/NS-Multisites/chgtheme.inc.php
http://localhost/postnuke0726/modules/NS-Multisites/head.inc.php
http://localhost/postnuke0726/modules/NS-Multisites/print.inc.php
http://localhost/postnuke0726/modules/NS-User/tools.php
http://localhost/postnuke0726/modules/NS-User/user.php
Cross-site Scripting
ADDITIONAL INFORMATION
The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
The following XSS attacks are only possible if PostNuke has been made to
use its anti-filtering. Accessing any of the below URLs will trigger the
execution of the [xss code here] block.
http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=ratedownload&ttitle=x&lid=>[xss code here]
http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=search&query=>[xss code here]
http://localhost/postnuke0726/modules.php?op=modload&name=Web_Links&file=index&req=search&query=>[xss code here]
http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x
http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x
Vind.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PostNuke started as a fork from PHPNuke ( ... PostNuke's Xanthia module allows the full path to the system to be ... disclosed and cross site scripting attacks to be conducted. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PostNuke is vulnerable to an SQL injection vulnerability, ... print STDERR "Usage: KCpnuke-xpl.pl ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PostNuke is vulnerable for cross site scripting in its file uploading ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... cross-site scripting and SQL injections located throughout the ... The vulnerability exists in the ... The first SQL injection vulnerability is a non-critical one in the ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have been found ... Cross Site Scripting: ... Path Disclosure: ...
(Securiteam)
