[UNIX] PostNuke Multiple Vulnerabilities In Xanthia Module

• Previous message: SecuriTeam: "[NEWS] Lexmark Network Printers Built-in Web Server DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 27 Jul 2004 19:58:39 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  PostNuke Multiple Vulnerabilities In Xanthia Module
------------------------------------------------------------------------

SUMMARY

" <http://www.postnuke.com/> PostNuke is an open source, open development
content management system (CMS). PostNuke started as a fork from PHPNuke (
<http://www.phpnuke.org> http://www.phpnuke.org) and provides many
enhancements and improvements over the PHP-Nuke system. PostNuke is still
undergoing development but a large number of core functions are now
stabilizing and a complete API for third-party developers is now in
place."

PostNuke's Xanthia module allows the full path to the system to be
disclosed and cross site scripting attacks to be conducted.

DETAILS

Vulnerable Systems:
 * PostNuke version 0.75-RC3 with Xanthia module
 * PostNuke version 0.726-3 with Xanthia module

Full Path Disclosure
This vulnerability would allow a remote user to determine the full path to
the web root directory and other potentially sensitive information.
Issuing the following request to the server will yield an error message by
PHP that will disclosure the information:
http://localhost/html/modules/Xanthia/pnadmin.php

Fatal error: Call to undefined function: pnmodgetvar() in
c:\appserv\www\html\modules\xanthia\pnadmin.php on line 53

http://localhost/html/modules/Xanthia/pnuserapi.php

Fatal error: Call to undefined function: pnmodgetvar() in
c:\appserv\www\html\modules\xanthia\pnuserapi.php on line 49

Cross Site Scripting
Cross site scripting is possible in PostNuke's Xanthia module. It can be
seen in the showcontent() function, line 896:
 echo "<p><span
    class=\"pn-title\"><strong><em>".pnVarPrepForDisplay($title)."
    </em></strong></span><br />";
    echo "<p align=\"justify\"><span class=\"pn-normal\">";
    if ($cover != "")

A proof of concept example for the XSS issue might be:
http://localhost/html/modules.php?op=modload&name=Reviews&file=index&req=showcontent&id=1&title=%253cscr!pt>alert%2528document.cookie);%253c/scr!pt>

The proof of concept result will cause the following to be displayed
(provided as a screenshot):
<http://www.swp-zone.org/archivos/post-nuke.gif>
http://www.swp-zone.org/archivos/post-nuke.gif

Vendor Status:
Vendors were contacted many weeks ago and plan to release a fixed version
soon. Check the PostNuke website for updates and official release details.

ADDITIONAL INFORMATION

The information has been provided by <mailto:darkbicho@fastmail.fm>
DarkBicho.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Lexmark Network Printers Built-in Web Server DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]